SMS and caller ID spoofing


Cybercriminals are using increasingly sophisticated techniques. Not only do they impersonate other people, but they also imitate and supplant banks’ usual communication channels. This new post in the “Protect yourself against fraud” series will help you watch out for tell-tale signs and react if this happens.

As you might know, smishing is an attempt to steal your private information or to charge money to your account by sending an SMS to your mobile phone posing as your bank, usually with a link to a fake website. They are fairly easy to spot.

However, it is possible for these SMSs to appear in the same section as other previous legitimate SMSs from your bank, such as those for authorising payments. How is this possible? The telephone number from which the message is sent can be replaced by an alphanumeric text disguising it as the bank’s, so that the recipient doesn't suspect the sender and agrees to the transaction requested. This technique, known as SMS spoofing, uses a number of websites and mobile applications that allow SMSs to be sent from an unknown source impersonating a legitimate identity relatively easily. Take a look at the example below:

The same can be done with phone calls. Caller ID spoofing is the practice of displaying as caller ID a number different from that of the actual caller. In this case, the attacker hides behind the bank’s call centre numbers.

What can I do to detect and prevent this type of fraud?

  • In the case of SMSs, some mobile phones have built-in spam detectors and block this type of messages.
  • Even though these messages are received in the same location as other messages from the bank, look closely at their format or content, or check for any spelling mistakes.
  • There are also applications that allow you to discover the caller's real identity.
  • In any event, remember that your bank will never ask you to provide your full password or code.
  • Use your common sense: check that what they are telling you is actually true. For example, if you receive a phone call informing you of a fraudulent transaction, access your bank account and make sure it exists. If what they’re telling you doesn’t add up, hang up and call them yourself.
  • If you have not performed a transaction, it makes no sense for you to receive a one-time password, and even less for the bank to ask you for it over the phone. And no, your bank does not need a code to cancel that alleged fraudulent transaction.
Did you find this information useful?