Barcelona: SMS fraud, or "smishing", is on the rise in many countries, fuelled by the increasing use of smartphones.
This is a challenge for telecom operators who are meeting at the Mobile World Congress (MWC), the sector's biggest annual gathering, in Barcelona this week.
What is smishing?
Smishing is a cybersecurity attack carried out over mobile text messaging, also known as SMS phishing which target both individuals and corporations.
The name is a play on the term "phishing", the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers
"In a smishing attack, cybercriminals send deceptive text messages to lure victims into sharing personal or financial information, clicking on malicious links, or downloading harmful software or applications," Stuart Jones of US cybersecurity firm Proofpoint told AFP.
What is the scale of the phenomenon?
It has grown rapidly in recent years, particularly during the Covid-19 pandemic due to the explosion in the use of smartphones for administrative procedures and internet purchases.
According to a study carried out in ten countries by the Mobile Ecosystem Forum (MEF), a telecoms industry trade association, 39 percent of consumers were confronted with at least one SMS scam attempt last year.
"It is a very serious issue globally," said Janet Lin, head of development at Taiwanese cybersecurity firm PINTrust, during a panel discussion on the subject at MWC on Monday on the first day of the congress.
An average of between 300,000 to 400,000 SMS attacks take place every day, according to cybersecurity firm Proofpoint, and that figure is expected to rise.
In the United States alone, "smishing" cost consumers $330 million in 2022, more than double the losses reported in the previous year and nearly five times the amount lost in 2019, according to the Federal Trade Commission (FTC).
Why is it so worrying?
Smishing is considered more dangerous than e-mail scams because it is more difficult to identify the perpetrators, and because victims tend to think that their number can only be used by known people or organisations.
"Many people still have a high level of trust in the security of mobile communications," said Jones.
"Click rates on URLs sent in mobile messaging are as much as eight times higher than those for e-mail," he added.
The authorities also point to the growing sophistication of SMS attacks, with fraudsters using companies that specialise in the sale of personal data, or devices reserved for the army or police.
Smishing rings have been known to use so-called IMSI catchers, also known as "stingrays", which mimic cell phone towers to intercept communications from smartphones over a radius of 500 metres.
How can it be fought?
Many countries have set up reporting platforms to which people can forward suspicious SMS messages, leaving it up to the authorities to block the numbers.
Image-conscious telephone operators have also set up teams capable of filtering out some of the fraudulent SMS messages, aided by the reporting tools of operating systems such as Android and iOS, and messaging systems such as WhatsApp.
However, this task often turns into a cat-and-mouse game, with fraudsters constantly changing their number. Fraudsters also take advantage of differences in laws in across the globe to get away with their attacks.
"While regulators in Europe, the United States, and China have been tightening the rules, other regions, such as Africa and Latin America, find themselves with limited regulatory frameworks," the ITW Global Leaders' Forum, a network of telecoms executives, wrote in a report.
One of the keys to fighting smishing is prevention, experts say.
"Consumers need to be very sceptical of mobile messages that come from unknown sources. And it's important to never click on links in text messages, no matter how realistic they look," said Jones.