A Gurugram based 52-year-old businessman was robbed off 60000 rupees in a SMShing attack. According to Mr. Harish Chander, he received a message from Income tax. Once Mr. Chander clicked on the link, an application was automatically downloaded in his smartphone. Soon, 60000 rupees were debited from his account in two transactions. The OTP for those two transactions were sent automatically to a number based in Pune. An FIR against this fraud has been registered by the police under the section 420 of the Indian Penal Code.
This matter is a classic example of SMShing. SMShing or SMS phishing is one of the attack vectors where attackers attempt frauds via SMS. Malicious links similar to genuine ones, are sent in order to steal sensitive information of victims. Sometimes, the victim is lured to call back.
One can easily identify a SMShing attempt if the message is read and replied to with open eyes. Ignore any message that asks for sensitive and confidential information such as bank account numbers, debit and credit card number, one-time password (OTP). Make sure that the message is relevant to you. Say you receive a message asking you to download your ITR. First question that should come in your mind is, whether you pay Income Tax or not. If you do not pay Income tax, then ignore the message and if possible, report it to the concerned authority. The next step in verifying a message’s authenticity is to look at the link carefully. If the URL seems suspicious, do not click on it. For example, a link redirecting to a government organization has http instead of https. This is a red flag. Sometimes, a message will ask you to download an application using the link in the message. Most of the genuine applications are already present on Google Play and iOS. Make sure to download applications from these platforms only. You can manually turn off the setting that allows downloads from untrusted sources. Installing an anti-virus will ensure the safety of your mobile against malicious applications. Many cyber security companies such as Kratikal offer Mobile Application Security testing. Mobile application security testing includes authorization, authentication, data security, session management, etc. However, the ages old idiom rather holds its ground strong and so it can be undoubtedly said that prevention is better than cure.
