Websites that allow an individual to send a text message to any number are being used by fraudsters to send fake transaction messages impersonating a legitimate bank. The ability of these websites to modify the sender name of the SMS, i.e. to spoof any genuine entity, is what the fraudsters exploit for their benefits and typically form part of a larger scam chain. Numerous cases have been brought to the authorities regarding such SMS spoofing websites, which have called for legal proceedings against such service providers. These kinds of websites have continued to thrive exponentially. The victims of such scams are typically retailers who deal with high-end electronic equipment, jewelry, branded merchandise etc. A fraudster may initiate the scam by visiting a store and proceeding to select multiple items. The aim is to select items that amount to a large sum, thereby creating a situation wherein the fraudster pretends to have insufficient cash in hand to complete the purchase. The fraudster then requests for the bank details of the outlet so he can perform the bank transfer immediately. Once the bank details are in his possession, the fraudster accesses a SMS spoofing website, using it to send a message to the merchant’s mobile number which he had attained prior to the attack. This text message utilizes the victim’s bank name as the SMS sender, stating that his/her account has been accredited with a total sum owed for the items bought. The message would consist of the outlet’s account number (hashed till the last 4 digits), amount transferred and date of transaction. The structure of the message is intended to dupe the SMS recipient by prompting them to complete the purchase and handing over the merchandise. New elaborate schemes have been identified recently that show the SMS containing a landline number pretending to be the bank which is, in fact controlled by the fraudsters. A few moments after the SMS is received, a fake call is made to the SMS recipient pretending to verify the transaction and suggesting that the purpose of the call is to verify and check for any fraudulent activity. These messages may also have URL links which could be malicious. Further investigation has revealed that the recipient mobile number and bank details collected from the victim are used in other scams as well. A more prevalent scam involves a call placed from a fake landline, pretending to be from the bank asking to verify the victim’s information so that his/her records are up to date.
One of the main issues with these scams is detection. A retailer can only detect this upon checking their account’s financial records and noticing discrepancies. Following are some samples of SMS messaging websites:
- http://www.afreesms.com/
- http://astigtxt.biz/free-sms/
- http://mfreesms.com/
- https://globfone.com/send-text/
- http://www.magtxt.com/
- http://www.smsspoofing.com
- http://www.spoofcard.com
- http://www.spooftexting.com
- http://www.fakemytext.com
- http://www.thesmszone.com
Recommended Best Practices
- Remain situationally aware of such instances and be wary of scammers.
- Insist upon conventional methods of payment, i.e. cash, debit or credit for such transactions.
- If the SMS contains a link, avoid clicking it as it could be malicious.
- Verify calls received from the bank with the contact numbers on official bank listings.
- Implement an open communication between telecom companies and banks regarding banned sender names.
- Raise public awareness regarding SMS spoofing.
- Banks should raise awareness of this scam among merchants and retailers (i.e. via short notice on the bank’s website or through a circular).