Best Practice Spotlight
Call and SMS scams: Why can’t telcos stop them? by Ven Dela Luna, Chief Security Engineer In the past few months, scammers have been targeting certain mobile users through calls or text. Alarmingly, I also learned from acquaintances that they have received text messages from people pretending to be from legitimate sources, such as banks and service providers. If one looks closely at the content, the URLs or links provided are either unrelated to the company or utilise a newly registered site, which in most cases are temporary and are immediately offline by the time further investigations can be made. I also heard from some friends that they were scammed into buying a new phone through their contracts. However, the mobile packages got delivered to a different address. This is worse since they use social engineering to trick someone and ensure they go through two-factor authentication. This makes us wonder why telecommunications companies and service providers continue to allow this. It almost seems that the industry is not thoroughly regulated; prosecutions are slow at best and most of the time the scammers are not even charged of any offense, if they get caught that is. The government is tackling this problem by educating users on the danger of these scams. Consumers are also encouraged to help by reporting spam texts and nuisance calls to two different agencies: The Information Commissioner’s Office (ICO) 2. The National Cyber Security 2. Centre (NCSC)
should tackle is enforcing some control, process, and deterrence for those who take such lengths to use legitimate services offered by telcos and other service providers. For telcos, prepay mobile SIMs are easy to buy. One can pop up to any shop and attach these to a device that can send multiple messages. As burner phones are popularly used in crimes, these should be regulated or if possible registered with government entities overseeing communications. In relation to hardlines for companies (standard phone lines), telcos should have careful background checks (not just on the company site) and review their indicated purpose. Audits can be done in the middle of the fiscal year to validate whether they are indeed functioning as what was stated in their applications. The same can be done with households to validate if the registered user is the one holding the other end of the line. For service providers, rigid checks should be in place for domains they host and they should provide ample warning to tenants, as necessary. The above solutions will take a while to be discussed in the government, let alone be implemented. Hence, for the time being, we urge users to: 1. 1.
1. 1.
Users and administrators can also help by submitting sample URLs they get from a SMS to their respective cyber security providers or to a community-based repository, such as Virus Total or Phishtank. One part of the solution that the private sector or the government 12
2. 2. 3. 3. 4. 4. 5. 5.
For administrators, the above also applies, but with a fee. They could opt to leverage fully managed services to protect them from scams and spams, as well as other digital attack vectors. Downplayed as they are, in many instances, phish leads to breach. This multidimensional approach will surely help the government, as well as aid security vendors, in protecting not just enterprises and SMBs, but also standard users at home.
Take advantage of free mobile security solutions (there are a lot of known security providers that offer this for free now, some are even bundled in partnership with telcos) Use free web advice or web filtering solutions Use free AV solutions, or use the premium ones (with fee) Report every spam, scam email, or nuisance call you encounter Always keep your devices, operating systems, and applications up to date SECON CYBER
