It took just a momentary lapse in judgment for many Malaysians to fall for a scam.
The text message received may look legitimate — even expected. Often, after some form of personal information which had already been stolen over time, a person signs up for text alerts from a bank or shopping networks to confirm each time she made a new purchase. And that step to protect one’s self, ironically, is what may turn the person to an easy target.
A robotic voice may soon welcome a victim to establish presence with the scammer’s domain and they will aske the victim to verify details, and credit card numbers, and personal details are then made available; ending the session with a ‘This information is valid. Thank you,” message.
Smishing is a phishing cybersecurity attack carried out over mobile text messaging, also known as SMS phishing.
As a variant of phishing, victims are deceived into giving sensitive information to a disguised attacker. SMS phishing can be assisted by malware or fraud websites. It occurs on many mobile text messaging platforms, including non-SMS channels like data-based mobile messaging apps.
Recently, the Royal Malaysian Police (PDRM) revealed that fraudulent activities using short message service (SMS) have started to be active again.
Based on the cases reported since January 1, there are 18 recorded cases involving a loss of RM229,868.
Here, the community needs to be aware and sensitive to any form of fraudulent tactics that try to trap victims.
If it is usual, fraud syndicates ensnare victims through phone calls or Macau Scam posing as police officers, banks or other enforcement officers, supposedly the victim has committed a crime and is asked to hand over banking details.
However, slightly different from this SMS scam, the victim reportedly received SMS from famous telecommunication companies such as Maxis, Celcom and Digi.
According to the Bukit Aman Commercial Crime Investigation Department (JSJK) Director Datuk Seri Seri Ramli Mohamed Yoosuf, the content of the SMS stated that the victim had reward points that were about to expire and was urged to immediately redeem the reward points through the attached link.
Victims who clicked on the link will be asked to enter their online banking information including the received OTP number.
The victim will then find the money from their bank account stolen.
Financial crimes involving online fraud handled by JSJK outlines seven main forms of crime, namely online purchases, non-existent loans, online investments, Macau Scam, African Scam, email interception and SMS fraud.
Awareness related to the crime of fraud should be started from an early stage, including at the primary school level, to build a strong fortress of awareness related to it.
The community also needs to check with any complaint platform that exists for the community to ask, refer or similar related to scam issues.
For info, if you are a victim of online fraud, immediately contact the National Scam Response Center (NSRC) hotline at 997 for further assistance. This hotline operates from 8 am to 8 pm daily.
Preventing Smishing
The good news is that the potential ramifications of these attacks are easy to protect against. You can keep yourself safe by doing nothing at all. In essence, the attacks can only do damage if you take the bait.
That said, be mindful that text messaging is a legitimate means for many retailers and institutions to reach you. Not all messages should be ignored, but you should act safely regardless.
There are a few things to keep in mind that will help you protect yourself against these attacks.
Do not respond. Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety over the situation at hand, but you can refuse to engage.
Slow down if a message is urgent. You should approach urgent account updates and limited time offers as caution signs of possible smishing. Remain skeptical and proceed carefully.
Call your bank or merchant directly if doubtful. Legitimate institutions don’t request account updates or login info via text. Furthermore, any urgent notices can be verified directly on your online accounts or via an official phone helpline.
Avoid using any links or contact info in the message. Avoid using links or contact info in messages that make you uncomfortable. Go directly to official contact channels when you can.
Check the phone number. Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their true phone number.
Opt to never keep credit card numbers on your phone. The best way to keep financial information from being stolen from a digital wallet is to never put it there.
Use multi-factor authentication (MFA). An exposed password may still be useless to a smishing attacker if the account being breached requires a second “key” for verification. MFA’s most common variant is two-factor authentication (2FA), which often uses a text message verification code. Stronger variants include using a dedicated app for verification (like Google Authenticator) are available.
Never provide a password or account recovery code via text. Both passwords and text message two-factor authentication (2FA) recovery codes can compromise your account in the wrong hands. Never give this information to anyone, and only use it on official sites.
Download an anti-malware app. Products like Kaspersky Internet Security for Android can protect against malicious apps, as well as SMS phishing links themselves.
Report all SMS phishing attempts to designated authorities.
