Cybercriminals use mobile phone calls, SMS, and emails to commit fraud. So you can recognize them. Fraudulent calls, fake SMS, deceptive emails… Smartphones have become the gateway for many cybercriminals who seek to obtain our data to line their pockets. We tell you how to recognize these scams to avoid falling into the trap.
When Ana’s mother looked at her mobile phone screen, she read a short, direct text message. In her SMS, coming from her bank, she could read: “From this day, she will not be able to use her bank card due to security policy changes. Access the following link to proceed with the activation. After pressing it, she was redirected to a fake website that pretended to be the financial institution’s page. Confident, she entered all of her credentials.
It was a fraud. And the cybercriminal, with those stolen keys, had time to empty the account into which the victim deposited the savings with which he planned to pay for his daughter’s university. To avoid being traced, the scammer diverted the money to cryptocurrency wallet accounts controlled by the criminal organization.
This true story is one of the hundreds of cases dealt with yearly at the National Institute of Cybersecurity (Incibe). More and more frequent scams arrive through mobile phones through SMS, email, or instant messaging applications such as WhatsApp. In 2022 alone, Incibe managed almost 120,000 incidents related to these frauds, 9% more than the previous year.
The National Intelligence Center (CNI) recognizes that mobile devices and applications are promising tools for spreading these increasingly complex and sophisticated attacks affecting all operating systems. Nobody is safe from falling into the trap because cyberattacks can affect official institutions la, large corporations, SMEs, and any Internet user.
How do they manage to trick us on the phone?
Generally, cybercriminals want to achieve the largest number of victims with the least possible investment. To do this, they resort to social engineering methods. This concept is based on reality: it is easier to manage people than machines.
To carry out these attacks, they use psychological manipulation techniques to get users to reveal confidential information or carry out any action that may benefit the attacker. “They pose as someone friendly, trustworthy or with authority and trick people into trusting them,” laments the spokesman for the Pantallas Amigas association.
And phones are the most effective means of reaching victims. “On mobile phones we check email, surf the Internet, check social networks, communicate daily… Criminals know this and adapt to this new reality,” explains the chief inspector of the Central Cybercrime Unit of the National Police, Diego Alejandro.
Attackers use various methods to gain access to smartphones. “They buy databases that contain users’ personal information, such as their mobile numbers, emails, postal addresses… In addition, when a web service suffers a security breach, their clients’ data is exposed and cybercriminals can access them, ” warns Domín Guez.
To commit crimes, fraudsters have deployed a long list of fraudulent techniques sent to potential victims through mobile terminals.
‘Phishing’: emails that deceive
They are phishing is one of the best-known techniques. To carry out the attack, they impersonate a legitimate entity through an email — they pretend to be a bank, a company, a technical service, or a public body … — and launch a hook to achieve their goal.
The trap is in the form of an urgent or attractive message. The objective is that, when reading it, the victim does not have time to apply common sense and click on the link.
‘Smishing’: SMS fraud
A variant of the previous scam and very common in recent times is smishing. In this case, the criminal executes the fraud by sending an SMS. To do this, it usually pretends to be a financial institution or public body and launches messages in an alert tone: “We have identified suspicious movements in your account, go here to check if you have done it,” “A charge has been made in your account, I checked belo in this link”…
“Banks have launched campaigns to notify their customers of these threats. They remind them that the bank is never going to ask for passwords or personal data through an SMS, that it never sends links or requests information with phone calls,” says Ruth García, a Cybersecurity technician at Incibe.
‘Vishing’: calls that are not
On other occasions, the criminal impersonates the identity of a service provider —the electricity, gas, or telecommunications company, for example—of a public body —such as the Social Security or the Tax Agency— or a financial entity through a phone call, to extract private and sensitive information from the victim.
The modus operandi usually follows the same pattern. For example, the cybercriminal poses as a civil service worker to obtain personal or bank details. “They can even manipulate the CLI [ call line identification ], which is the phone number that appears on our screen, through various specialized software. Thus, they make us believe that they really call us from our bank”, warns Diego Alejandro.
‘Shoulder surfing’: on the street
Oddly enough, they can even steal our credentials and passwords, contacts, unlock codes —such as the PIN— and bank details in everyday situations, such as traveling on public transport, using an ATM, or having a phone conversation. Phone on the street. That is what the technique of shoulder surfing consists of looking over the shoulder of someone who consults her cell phone to get information.
‘Quid pro quo’: raffles and discounts
In this case, a benefit (usually in the form of a gift, money, or free access to discount platforms) is promised in exchange for personal information. “They are the typical free raffles that come to us on the phone to win very tempting prizes or to access discount coupons. People believe that they participate in this type of raffle and fill out a survey. That private information that you have provided is used to later commit fraud”, confirms Ruth Garcia.
‘Pharming’ and ‘Baiting’: one more step
Other traps are somewhat more sophisticated. It happens with pharming. Attackers redirect users to fraudulent websites using malware that contains malicious code.
Or baiting: by using bait, attackers get the victim to infect their computer or unknowingly share personal information through malware. The most widely used means are infected USB devices that criminals leave abandoned in strategic places, such as public places with a large influx of people, such as parking lots, hospitals, and shopping centers.