Ding!
The “New Text Message” notification popped up on Amber’s phone.
She had just heard on the news about the government’s Electricity Rebate Program. The news anchor had said that residents who have consumed electricity within the past calendar year would be eligible for a rebate of up to $300.
And there it was… a text message about the energy rebate. It couldn’t have come at a better time. Amber had just had car troubles and would need over $500 for unbudgeted expenses to complete the repairs.
The text message read:
“Residential Energy Rebate*
Fast-Track Rebate Program Payment – Reimburse you $300 for your electricity bill.
Apply with your sign-in partner: “www.service-elect-subs.com”
She was ecstatic that she would be able to get her car fixed without her rent payment bouncing. She clicked the link, which brought her to the Residential Energy Rebate website. From there, she was able to select her banking sign-in partner.
Clicking on RBC, she was brought to a sign-in page with the RBC logo, where she entered her bank card information and her online banking password.
Then she got an error message. “We’re sorry. Due to the volume of requests, this site is unavailable at this time. Please try later.”
She put her phone down in disappointment and made a mental note to try again later.
It would be the evening before she would try again. But she got the same error message. She tried the next morning again, same error message.
That afternoon, she decided to log into her bank account to see if her rent payment had cleared but noticed that her bank account had a balance of just $1.26. Clearly, that was a mistake… She should have had at least $300 left for groceries… How?
It was then that she realized that she had been scammed. The Residential Energy Rebate text message was a Smishing scam, and she had given the scammers her online banking credentials… not once, not twice, but three times. Regardless, her bank account had already been cleaned out after the first time she entered her banking credentials on the fraudulent site.
What happened?
This scam is known as a SMiShing (SMS phishing) scam, where the attacker sends out a boatload of text messages to a block of phone numbers with the scam message. They setup a fake website that looks legitimate with landing pages that look like the pages of the major banks.
When the unsuspecting victim follows the link in the text message thinking the page is legitimate, they click on the banking link as Amber did in the story above, and they enter their online banking credentials into the fraudulent website controlled by the hackers, who immediately take those credentials to log into the account and clean it out.
What could have been done to prevent it?
Attackers are sending out these scams via SMS as there is almost non-existent SPAM and malware filtering for text messages. Users are also often distracted when on their smartphones and are not as vigilant, and more likely to fall for the scam.
The scammers are also looking for opportunities to exploit victims by looking for relevant content that is current and timely. This makes the scams look more legitimate and also more likely that the victim follows through by clicking the link and falling for the scam.
To prevent this, it is all about EDUCATION, EDUCATION, EDUCATION. Ensure that you are aware that these scams are around and the attackers are very creative in the tactics they use to trick the victims. Now that you are aware of these types of attacks, please let everyone you know to be cautious of these scams. These attacks could happen to anyone… your coworkers, your kids, you parents… literally anyone could be a victim and the more people who are aware of this, the better.
As a general rule of thumb, when you receive a random text message with a link, the best thing you can do is delete the message and block the number.
Story is based on real-life events.
Written by: Vince Fung
(c) 2022 Vince Fung & Expera IT – Unauthorized copying or use of this content is strictly prohibited.
