“Your account has been suspended. Log in here to reactivate.” “We couldn’t deliver your parcel, click here to redeliver.” “Congratulations! You won the new iPhone 15. Follow the link to claim!"
 I would never fall for these tricks... Except I did.

Here I am, freezing my bank card in panic and Googling whether a hacker can gain access to my phone through a phone call, as they have just called me pretending to be my bank to check why their payment didn’t go through. 

I am a cyber analyst. My full-time job is to scour the web, both open and dark, for stolen credentials. Occasionally, I write a small article or two about the variety of tools bad actors use to access our personal data, ranging from ransomware attacks on large corporations that yield payments of up to $40 million to smaller, yet no less damaging, scams, including smishing, also known as SMS phishing, that target randomly selected victims. I have more than a surface-level knowledge on specific bad actor groups, individual cybercriminals and what hacking tools they favour when they conduct they daily activities. Five years in cybersecurity made me more aware (if not slightly paranoid) of what an individual armed with a computer and bad intent is capable of.

How the scam worked

Yet, as it happens, a small slip of vigilance and an unfortunate alignment of events is all that is needed for even the most attentive and anxious of us to fall victim to a common scam. I was expecting some parcels to be delivered by a widely used major parcel delivery and courier service. One of them included a relatively expensive large item that I did not want to miss or get lost. Therefore, when a text message claiming to be from said company arrived stating that I need to re-book my missed delivery, I did not for a second think that it might be anything but a helpful message designed to make my life easier. Without a single doubt, I clicked the link included in the SMS and filled out an official-looking form that requested all my information, including full name, address, phone number and card details.

Like anyone, I have missed deliveries before and had to arrange redeliveries or pickups from local collection points. Never before have I been asked for so many personal details in order to do so and it did strike me as odd; however, I was keen to receive the item I ordered and the request for a small payment of £0.79 for redelivery seemed more than reasonable (especially considering we are in a cost of living crisis with prices are going up daily). £0.79 is not a lot of money, I can afford that. I am just going to be ever so slightly annoyed at the company for adding yet another charge to their services. Click and send. Your parcel will be with you in the next 2-3 days.

Simple tricks to steal your data

I wish there was an intricate story of my realization that would fully rehabilitate my actions, however the understanding that something was wrong with the form I filled out came hours later and was not inspired by any professional insights. The first course of action was to panic. The second was to double check that the message was indeed a scam. As the delivery company used tends to update its customers via email, I checked whether there had been any communication regarding missed deliveries. As there was nothing, I then also checked the tracking number provided by the seller of the item I was expecting. This stated that it was not even out for delivery yet. Finally, I checked whether the carrier started charging for redeliveries, in case I had missed an update. This led me to the company’s official webpage flagging this type of messages as a scam and outlining how to recognize, as well as report, malicious messages or calls.

Once confirmed that I had indeed fallen victim to a smishing scam, reporting my card as compromised to my bank and ordering a new one was a priority. Luckily, most banks make this easy by adding an option in their official apps. A user is able to temporarily freeze their card, report it as stolen or compromised, as well as order a new one within minutes. Another feature I have discovered only after receiving a phone call from my attackers was that, in case of a phone call from an individual claiming to be representing the bank, some banks give you an option to ask them to use an app ID that sends a secure notification to your banking app. This notification will let you see the name of the person you are speaking to (as well as letting them confirm they are speaking to the account holder). It is useful to familiarize yourself with what options your bank provides in order to keep you safe, as this will give you the upper hand in case scammers attempt to contact you via a phone call.

Luckily for me, my error of judgement only caused me some minor inconvenience and anxiety. In the worst-case scenarios bad actors can use stolen data to purchase goods or gift cards from online retailers, set up payments, or make money by selling the details on the Dark Web marketplaces or dedicated forums. Acting fast and knowing the right steps to follow was imperative to rectifying my mistake without too much damage. 

Lessons learned

In case you fall victim to a smishing scam, here are the lessons I learned:

• Be quick. The sooner you start taking action, the less time bad actors have to use your data.
• Alert your bank. Freeze your current account and order a new card.
• Although not vital, move your funds to another bank account if you have one (but never move them to an account that is not your own because a 'bank representative' tells you to, this is another common scam)
• Change your passwords if you have provided any login credentials.
• Alert the impersonated company of the scam so they can take necessary action.

The best tip, however, is to always be vigilant when it comes to any type of communications, even if they appear legitimate! Hackers are getting ever better at impersonating well-known and widely used companies. The signs to look out for are:

• The sender’s phone number. Nowadays, most companies include their company name as a contact name automatically when sending messages. Additionally, it is always worth looking up the phone number that a suspicious message came from as it might have been reported as scam by other potential victims.
• The sender’s email address (in case of an email phishing attempt). Malicious email addresses tend to include misspelled or stylized versions of the company they impersonate. Oftentimes, email addresses are entirely unrelated to the impersonated company.
• Poor language and grammatical errors. Most companies spellcheck their messages before sending them.
• Links within messages. If it is a legitimate communication, you will be able to access suggested services via an official app or website. It is always safer not to click the link.

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.