Scenario and Background

Business Email Compromise (BEC) attacks are common today, and one common tactic by hackers is to target key individuals within businesses who perform wire transfer payments. A typical BEC scam happens after hackers either compromise or spoof an email account for a legitimate person/company. They use this email account to trick counterparts into wiring money into the wrong bank accounts – their accounts.

BEC scams are popular because they’re (1) simple to execute, and (2) typically don’t require advanced coding skills or complex malware. And they pay BIG! In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 19,369 BEC complaints with adjusted losses of over $1.8 billion.

Many businesses have adjusted their practices to expect a second level of authorization from a requestor before proceeding with a wire transfer, which would thwart the simple method of sending one or more spoofed emails to request the wire transfer.

Short Message Service (SMS) Spoofing is also spoofing an account, but via text message. It’s done by changing the sender’s name, phone number, or both. And it’s not that difficult to do – in some versions of Kali Linux (formerly BackTrack), there’s an SMS spoofing attack vendor tool in the social engineer tool kit. There are even online services offering you SMS spoofing services on the internet!

One big difference between SMS Spoofing and spoofing via BEC attacks is that you can check the sender’s email address to confirm what domain and email address it came from. Even though some hackers can disguise the email address to look like the purported sender, they can’t totally replicate the legitimate email address or domain. SMS spoofing comes from a name and/or number that looks identical to the real name and/or number, which it makes it very difficult to identify as a spoofed text if it’s not suspected or expected.

SMS Spoofing has been used for everything from impersonating a company to get recipients to click on a link in a smishing attack, to fake a money transfer record to an in-store employee to convince them that items have been paid for, or to even carry out a personal agenda against someone by sending incriminating texts from them to someone else (or even yourself).

We’re seeing that BEC scams are now being combined with SMS Spoofing to accomplish the wire transfer scam. The target receives a spoofed text message, letting them know an email is coming with the details about the wire transfer to be executed. Once the target receives the email, they feel they already have that second level of authorization to proceed with the wire transfer.

SMS Spoof BEC

Combating SMS Spoofing Attacks

In general, there are some best practices when it comes to handling suspicious texts and SMS spoofing attacks to keep in mind:

  • Check the Sender: Sometimes, the text you receive isn’t even a spoofed email
  • Don’t click on unexpected or unfamiliar links: If you get a text from a company that looks to be legitimate, they’re telling you that your account is suspended and asking you to click on the link to login, don’t do it. Login through the normal site to check the validity of any account issues.
  • Don’t believe the great offer or “you’ve won” text: Legitimate companies won’t send you a link via text to claim a great offer or prize. If it’s too good to be true, it almost always is.
  • Never give personal information out via text: No legitimate company would ask for personal info via text, so don’t give it if asked for it.

When it comes to SMS spoofing from a known colleague (i.e., the wire transfer scam), current technology approaches won’t work:

  • Spam blockers won’t work if the message appears to be from a trusted contact: While iPhone and Android phones both provide a feature to block messages from unknown numbers, a spoofed message from a known number won’t be blocked because it’s known. Spam blockers will work when the text is not spoofed to appear to be from a familiar number, so it’s still a good practice to turn them on for anybody who is involved in critical company processes (like wire transfers). This article discusses how to turn on spam blockers for both Android and iOS.

  • The recently implemented Caller ID authentication STIR/SHAKEN standard won’t work either: STIR/ SHAKEN is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. STIR stands for Secure Telephony Identity Revisited and SHAKEN stands for Signature-based Handling of Asserted information using toKENs. While STIR/SHAKEN was developed to stop illegal call spoofing, it applies to phone calls only, not text messages.

With no technology approaches to stop SMS spoofing, here are two best practices to avoid being scammed by a spoofed SMS message:

  • Call back the message sender: Simple, but effective. If they sent the message, they can verify that; if not, you’ll know quickly. If they don’t answer, don’t proceed until they do (or you can verify the legitimacy of the request in some other manner). Verbal confirmation is very difficult to spoof.

  • Establish a dual authorization approach to initiating wire transfers and approving payments: Many financial institutions today have implemented a dual control approach to completing wire transfers involving two people for authorization and segregation of duties (i.e. one person receives the equest for funds, a second person authorizes the release of funds). This approach makes it much more difficult to operate a scam on a company. Ask your financial institution about the availability of such a program and what it takes to enroll.

While there is no currently no technology-based approach to stop SMS spoofing, that may change soon, so check back here for updates.