Security researchers at Lookout recently published a report that details an extensive SMS phishing campaign. The SMS phishing campaign specifically targets users of mobile banking sites belonging to major banks including CIBC, RBC, UNI, HSBC, Tangerine, Chase, Royal Bank of Canada, and TD Bank. All banks, as is evidenced by the list, are headquartered in the United States or Canada. Lead researchers Apurva Kumar and Kristin Del Rosso state in their report that roughly 4,000 users have been hoodwinked by the phishing scam so far.

The researchers extrapolated on the SMS phishing campaign further in the selected report excerpt:

Our research indicates that this phishing campaign solely targets mobile users. The web pages are built to look legitimate on mobile, with login pages mirroring mobile banking application layouts and sizing, as well as including links like, “Mobile Banking Security and Privacy” or “Activate Mobile Banking ... Many of the pages in this campaign appear legitimate through actions like taking the victim through a series of security questions, asking them to confirm their identity with a card’s expiration date or double-checking the account number.

According to the Lookout report, the SMS phishing campaign is “offline” as all banks were notified by researchers. This is not to say that the attackers will not start back up again, as they are likely just looking for a new angle to attack from. Much like when malware is initially uncovered and blocked by security software, there is often a resurgence once attackers can find new areas to exploit. It is entirely possible that the threat actors behind this SMS phishing campaign are done going after mobile banking users, but it would be unwise to think they are in the clear just yet.

Researchers Kumar and Del Rosso both echo this sentiment in their Lookout report by giving sound advice on how to counteract SMS phishing attempts:

The features, functionality, and even the screen size of today’s mobile devices make it harder for a person to determine what is real versus what is fake. If you receive a text message from your bank, do not click on it. Instead, go directly to the bank’s website or the app.

Sound advice.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Hardware RAID vs. software RAID: Pros and cons for each

RAID is a technique to virtualize independent disks into arrays for improved performance. Should you…

3 days ago

After the plague: What IT will look like in a post-COVID-19 world

COVID-19 has changed everything, but once it disappears, we will not go back to how…

3 days ago

Solved: Outlook defaults to Microsoft 365 version with Exchange server

An Exchange server with a hybrid connection to Microsoft 365 is usually pretty seamless —…

3 days ago

How chatbots are changing the way teams communicate internally

Chatots are primarily thought of as consumer-facing solutions. They bring life to customer interactions by…

4 days ago

Hakbit ransomware campaign targeting specific European countries

The newly uncovered Hakbit ransomware campaign spread via spear-phishing emails may indicate a shift in…

4 days ago

Credential stuffing: Everything you need to know to avoid being a victim

Credential stuffing is yet another weapon being used by cybercriminals. Here’s what credential stuffing is…

4 days ago