Contact us


Smishing and Vishing: Banking Fraud Prevention

Although mobile and internet banking has made a great impact in the convenience department of using financial services, this convenience comes with a risk of fraud. Today, social engineering attempts are focusing on two of the most efficient banking fraud methods to trick the victims into revealing sensitive information – smishing and vishing.

In this blog, we will discuss everything you need to know about smishing and vishing. What are they exactly, how do they work, and most importantly, how can you protect your bank and your customers. We will also explore the rise of smishing and vishing in banking fraud, the mechanics of these attacks, and strategies to combat them effectively. So, whether you're a banking expert or a customer looking for ways to stay safe online, read on. You'll learn more about how you can protect yourself from these threats.

Understanding Smishing and Vishing

In the realm of banking fraud, social engineering attacks come in various forms, including smishing and vishing. These crafty tactics specifically target individuals' personal and financial information, often through phone calls or text messages. Fraudsters skillfully employ social engineering techniques to instill a false sense of urgency, tricking unsuspecting victims into divulging private details. It is imperative for individuals to remain vigilant and refrain from sharing any sensitive data. However, there are solutions that can help financial institutions remove human error from the equation.

Smishing vs. Vishing

Smishing occurs via text messages, often containing fraudulent links and malware to compromise mobile devices. These links usually lead the victim to a website containing a form. This form demands the user to enter sensitive data, which lands in the hands of the attacker.

What makes smishing exceptionally convenient for the attackers are the stats. Scammers are betting on the likelihood of the SMS being open and read. So here are a few reasons why text messages are among top distribution channels for cybercriminals (Techjury):

  • SMS has a 98% open rate, significantly higher than email marketing, which averages around 20%.
  • 60% of users open and read the SMS within 1-5 minutes of receiving it.
  • Users are 4.5 times more likely to respond to a text than an email.

Vishing involves deceptive calls or automated voice messages aiming to extract sensitive information through phone calls. The attacker often demands credit card numbers, dynamically generated OTPs, or other types of sensitive information that help them commit fraudulent activities.

The Challenge of Smishing and Vishing in Banking Fraud

What makes smishing and vishing attempts more of a challenge than they already are is the attacker's ability to present the number of the incoming call or SMS as if it's coming directly from the bank. This happens through spoofing tools which are fairly easy to use and highly available to cybercriminals. As there are many forms of social engineering fraud, there are also many forms of spoofing used for fraud purposes. Closely connected to smishing and vishing attacks is caller ID spoofing.

To the average bank client, an incoming call from a familiar phone number does not pose a threat. As the displayed phone number is coming from a trustworthy source, it makes the attacker's job that much easier. Unfortunately, there is no security awareness training that can equip the bank's end users with the tools to recognize if caller ID spoofing is present. However, there is a solution that helps prevent this scenario from happening altogether – spoofing protection.

Business Consequences of Smishing and Vishing in Banking

The damages connected to smishing and vishing attacks include serious financial and reputational consequences. Also, there is a risk of a sharp decrease in customer satisfaction.

Financial consequences refer to the bank's liability for fraud. The latest PSD3 directive states that banks that don't have appropriate security mechanisms in place are liable for all fraud happening through social engineering attempts.

Reputational consequences – you don't need to be an expert to figure out which banks are being targeted the most. The high volumes of fraudulent calls and messages speak for themselves. This can easily become a topic among your existing and potential clients that will later question your ability to protect them.

Customer satisfaction – countless calls in the name of the bank from unknown numbers are going to affect your customer satisfaction metrics. This could lead them to switch ship, causing further damage to your bottom line. 

How Can Banks Stay One Step Ahead of Smishing and Vishing Attacks?

We mentioned earlier that there is another layer to smishing and vishing risks within the banking sector. That threat includes caller ID spoofing to make the calls/messages look like the ones that are registered as the bank's official phone numbers. Relying purely on security awareness training would also prove to be insufficient. The end users would have to perform due diligence through multiple steps that require higher levels of technical knowledge. Also, with the increasing volume of smishing and phishing attempts, expecting the users to check every unknown number would simply be naive.

The solution lies in spoofing protection. An SDK integrated with the mBanking application capable of terminating the call and warning both the user and the bank about potential fraudulent activity. Let's see what this would look like in action.

Spoofing protection flow for vishing attempts

The following flow is a simplified version of communication between the Spoofing Protector SDK, Spoofing Protector backend, mBanking application, and the bank's anti-fraud system in case of a vishing attack, including a spoofed phone number.

  1. The user is about to receive a call with a spoofed caller ID number.
  2. In case the incoming call is coming from a legitimate bank, the user will receive a push notification containing information about the incoming call.
  3. Spoofing protector SDK intercepts the call and collects caller info.
  4. The SDK compares the actual phone number details with the predefined list of the bank's official phone numbers.
  5. In case the caller number is on the official list, SDK sends a request to the backend system to resolve if the call is coming from the bank.
  6. The bank's call center system returns a list of all possible callers with required data (caller phone number, call initiation time, user called, current status, etc.)
  7. The spoofing backend system resolves if the incoming call is coming from the bank, and there are a few possible scenarios:
    • The call is initiated from the Bank, and this means that the caller status is active in the call center, and a specific user has really received a call from this caller.
    • The call is not initiated from the Bank, and the caller status in the call center is not active, so there is suspected fraud.
    • The call is not initiated from the Bank, and the caller status is active, but the user Identifier from the mobile application and the user that is called from the call center are not the same, so the user is under suspected fraud.
  8. According to the resolved status of the caller, the backend system informs SDK whether the call is initiated from the Bank or not.
  9. In case the call is not coming from the Bank, SDK will try to terminate the call and inform Spoofing Protector backend services, which will notify the Bank’s Anti-fraud system about the termination status.

How can ASEE help?

Are you experiencing issues with social engineering attempts targeting your clients? We'll gladly offer guidance and help you protect your business and your customers. Feel free to contact us – zero obligation. Our ASEE team will be happy to hear you out.

Want to learn more about cybersecurity trends and industry news?



chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram