Several users have reported the receipt of text messages or SMS in which they appear Santander Bank Y BBVA and that they respond to a fraud called ‘smishing‘, with which cybercriminals seek to access confidential information of their victims.
As reported by some users
via twitter, they’re receiving SMS messages in which the entities, supposedly, report that they have detected an unauthorized access in the current bank account, and that to solve it they must click on a link.
Other clients of these banks, on the other hand, have received an SMS in which they are alerted that your bank account had to be closed due to an update.
To unblock it, they must follow a seemingly secure link that actually belongs to a Russian website.
However, some users have noticed this problem due to the fact that they have received messages from banks of which they are not clients nor do they have any type of account open in their branches.
As a differential feature of this campaign, the fact that fraudulent SMS messages are included in the message thread used by legitimate entities to communicate with your customers, such as to authorize purchases, thanks to the use of malicious techniques that mask the real number.
Be very careful with the phishing that is circulating from BBVA
😱 the sms arrives in the same thread as your bbva messages
— MJ Cachón (@mjcachon) January 11, 2022
Due to these complaints,
from BBVA They have reminded that they will not send SMS with links or request passwords or personal data in this way. They have also recommended that customers delete these messages if they receive them.
For its part, Banco Santander
has indicated That, in such situations, it is best to protect the sensitive data requested through these SMS and, in case of doubt, contact the sending company or administration through their official channels and addresses.
In addition, it has indicated that it is not advisable to click on the links of web pages that are sent through instant messaging or SMS. Instead and when in doubt, a specific page must be accessed directly through the browser or a search engine.
What is ‘smishing’?
Despite the fact that, until recently, the most used method to steal personal data was ‘phishing’, through emails, ‘smishing’ has become one of the most common today. Its name derives from the medium with which the attack is carried out, the SMS.
This fraud, which is also called ‘SMS Spoofing‘(identity theft by SMS), is done by sending a message in which it is communicated that the recipient has won a prize or that there is a problem with their bank details.
Unlike ‘phishing’, where much of the fraudulent emails are filtered through the spam folder of the email, ‘smishing’ attacks are characterized by having a more sophisticated technique.
Instead of getting blocked, these SMS messages are added to the same thread as the bank’s legitimate messages to which the user belongs. Thus, if you have received prior notifications (for example, when you receive an authorization link in an online purchase process), they are shown below.
This communication includes information so that the user calls a certain telephone number to carry out a specific procedure or click on a link outside the bank. If you agree, cybercriminals will be able to obtain your personal data, such as your account number or your ID.
It is worth mentioning that recently the Bank of Spain
has alerted of this fraud and that it is carried out through different web pages and mobile applications. In addition, it has alerted to the possibility of making it for calls.
This phone spoofing (or ‘caller ID spoofing’) consists of the caller ID showing a different phone number from the operator from which the call is being made.
Using this method, cybercriminals pose as employees of banks or their branches in order to make the victim reveal some confidential information.
Once they have been obtained, the alleged employee alerts that there has been a problem that the user must solve by clicking on a link that he will receive by SMS, or else, the alleged bank sends a code that the customer must reveal to complete the process.