TOKYO -- A form of fraud known as SMS (short message service) phishing, or "smishing," in which the perpetrators pretend to be cell phone companies or other businesses to steal people's personal information, is growing increasingly sophisticated, with some fraudsters posting their phony texts on what look like the message threads from legitimate businesses.
Information security companies and related organizations are calling on the public to practice caution.
In one case reported to a consumer center, a woman in her 40s living in southwestern Japan's Kyushu region received an SMS text in June this year that read, "There is a possibility that your account has experienced an unauthorized login. Please verify through the following link." Because the message appeared in the same thread as the one used by her cell service provider to notify her of her monthly bill, she unquestioningly opened the link and entered personal information such as her ID and password into the site. Later, her information was used to settle a payment of about 50,000 yen with a major online retailer.
"Smishing" is a portmanteau of "SMS" and "phishing," or stealing passwords and credit card numbers by sending emails purporting to come from businesses such as telecom companies and financial institutions. According to Tokyo-based IT security giant Trend Micro Inc., smishing incidents were first confirmed domestically sometime around 2017 and have been growing increasingly sophisticated ever since.
One method identified recently involves a fraudulent text showing up in the message thread of a legitimate business operator, which makes differentiating between bogus and legitimate messages difficult. SMS can be sent from an international or a domestic sender, and this latest modus operandi is believed to use the former.
With international SMS, the sender's ID can be set as a sequence of letters and numbers instead of their cell phone number. Many legitimate businesses make their business name into their ID. However, when unrelated third parties send messages using a real business ID, the message appears in the same thread as that of the legitimate business. Domestic businesses are able to use international SMS, a fact that fraudsters have taken advantage of for their texting scams.
When the National Consumer Affairs Center of Japan (NCAC) compiled the complaints received by consumer centers nationwide, it found that last syear, there were only around 50 cases in which people were defrauded via SMS messages sent by people masquerading as cell phone companies and forced to pay for goods they did not purchase. As of the end of October this year, however, the number of such cases had already reached some 350.
Smishing messages also take the form of texts from credit card companies, package delivery services, and banks. Some scammers go as far as to set up websites that mimic those of the firms they are impersonating, to further lull victims into a sense of security when they tap the links included in the smishing texts.
The NCAC says, "When there is a link attached to an SMS message, do not click on it right away. Instead, confirm first if the content of the message is correct by accessing the website of the legitimate business."
Meanwhile, Trend Micro cautions, "We'd like people to do an online search for the contents of SMS messages they receive, to see if there are any reports of damages stemming from those texts. We also recommend using security apps that alert you when you are being directed to a fraudulent website."
(Japanese original by Shohei Oshima, City News Department)