Holidays Fuel Surge of Mobile, Online Phishing Scams

It’s spoofing season. Nothing brings out digital bandits like the holidays, and this year is no exception.

Proofpoint, an enterprise digital security firm, reported Tuesday that its researchers are seeing a massive global increase in holiday-themed mobile phishing attacks, also known as smishing.

He noted that the volume of mobile phishing messages has almost doubled, compared to this time last year.

Those messages promise everything from package deliveries and gifts to special retail offers and special delivery exceptions.

“There has been a trend in recent years of scams and smishing related to the holidays and vacation themes in the fourth quarter of the year,” observed Jacinta Tobin, global vice president of operations for Cloudmark at Proofpoint.

“We have seen steady growth in both our scam and smishing reports in the US and the world beginning in October and increasing through December,” he told TechNewsWorld.

Susceptibility season

Ben Brigida, SOC COO at Expel, a SOC-as-a-Service provider in Herndon, Virginia, explained that phishing attacks increase during the holidays because people are more susceptible to social engineering aimed at their desire to show loved ones that they care.

“It’s not unusual to get ads that promise great deals around this time, or have someone ask you if you want to contribute a great gift,” he told TechNewsWorld.

“Attackers can send an email about a deal that is too good to be true for the new toy and people will fall for it,” he said.


ad impression count

“They can pose as a manager,” he continued, “and ask someone to ‘collect the gift cards for everyone in the office’ and it really makes sense, for people to do it.”

Magni R. Sigurdsson, Senior Director of Detection Technologies at Cyren, a McLean, Virginia cybersecurity company that focuses on protecting businesses from phishing attacks and data loss, noted that SMS phishing campaigns have increased because there are more users and mobile devices than a year ago. .

“Phishing is a commercial enterprise, so cybercriminals adapt to changes in consumer behavior just like legitimate companies do,” he told TechNewsWorld.

High click rate success

“As consumers rely more on mobile devices, it is natural for attackers to focus on those platforms,” ​​observed John Bambenek, top threat hunter from Netenrich, an IT and digital security operations company based in San Jose, California

“That is especially true considering that the click-through rate for SMS attacks is much higher than for emails and the fact that there is relatively less security on mobile devices,” he told TechNewsWorld.

“So the attacks have absolutely increased and will continue to do so,” he said.

Hank Schless, Senior Director of Security Solutions at Be aware, a San Francisco-based mobile phishing solutions provider, noted that there were significant increases in business mobile phishing in late 2019 and 2020. From Q4 2019 to Q1 2020, volume increased 87 percent. percent, while from the fourth quarter of 2020 to the first quarter of 2021, they jumped 127 percent.

“The interesting thing is that from that point forward in 2021, threat actors did not relent and encounter rates continued to increase during the first three quarters of 2021, showing that this is a major problem that is here to stay,” he said. to TechNewsWorld. .

Fake customer service

In a Proofpoint blog, Tobin wrote that cybercriminals prey on mobile users with smishing attacks claiming to be from reputable companies, including prominent retailers, e-commerce brands, and package delivery companies.

These decoys try to steal personal information from unsuspecting targets, he added.

Many of these lures ask for credit card information to solve a problem supposedly related to the purchase or delivery of a non-existent item, he noted.

example of a fake SMS message trying to steal data from a customer

Example of a fraudulent SMS notification attempting to steal personal information (Image credit: Proofpoint)


In other cases, he wrote, attackers try to steal personal information via an attractive URL or landing page.

Expel has seen similar activity online. In a blog post on Monday, a shipping scam was mentioned in which a target was notified about the purchase of a high-priced item that they had not purchased.

There are no clickable links in the email, just a “helpdesk” phone number printed in bright red at the bottom of the purchase notification.

When the recipient of the notification calls the phone number, a “customer service representative” offers to fix the problem, after collecting the account information necessary to fix the problem.

Example of a fake Amazon shipping notification email

Example of a fake Amazon shipping notification email (Image credit: Eject)


If successful, this type of scam would result in the attacker obtaining account credentials, credit card numbers or other sensitive personal information from the recipient in question, Expel explained.

“The rebound in consumer purchases during the holiday season offers a wealth of opportunities for attackers to mislead people into revealing confidential information,” observed Ray Pugh, Expel’s manager of security operations.

“Fake purchase receipts, invoices and shipping notifications are very likely to prompt recipients to click links or call the phone numbers listed in the phishing email, as recipients expect this type of emails this time of year, so the call to action is strong and the attackers’ chances of success are especially high during the holidays, ”he told TechNewsWorld.

Safety measures

On his blog, Tobin offered some tips on mobile safety while on vacation.

  • Be on the lookout for suspicious text messages. Criminals are increasingly using mobile messaging and SMS phishing as an attack vector.
  • Be careful when providing your mobile phone number to a company or other business entity.
  • Whenever you receive a message, which includes some kind of package delivery warning or notification that contains a web link, please do not use the web link provided in the text message. Instead, use your device’s browser to directly access the sender’s website, or use the brand’s app, if you already have it installed on your device. Do this also for any offer codes you receive by entering them directly on the sender’s website from your browser.
  • Report spam and phishing via SMS to the Spam Reporting Service. Use the spam notification feature in your messaging client if you have one, or forward spam text messages to 7726, which spells “SPAM” on the phone keypad.
  • Be careful when downloading and installing new software on your mobile device. Please read the installation instructions carefully, especially to obtain information on the rights and privileges that the application may request.
  • Do not reply to any unsolicited business or commercial messages from any vendor or company that you do not recognize. Doing so will often confirm that you are a “real person”.
  • Do not install software on your mobile device from any source other than a certified app store from the provider or mobile network operator.
  • “Consumers must realize that SMS messages are more insecure than email and that every message they receive is suspicious,” Bambenek said.

“They should prefer app-based messaging over text,” he added, “and realize that if something is too good to be true, it probably is.”

Leave a Comment