Financial Crime
March 20, 2025
Smishing is on the rise. In June of this year, Bank of Ireland customers were targeted by a string of smishing attacks. In August, the national center for cybersecurity in Brussels warned of a ‘tsunami’ of smishing attempts about to hit the country.
The spike in this type of scam is not an accident and deserves a deeper review of what is happening and the what the driving factors are behind the increase.
Smishing, otherwise known as SMS phishing, is a form of social engineering attack that targets victims on their mobile phones. It exploits people’s trust in their banks by sending them fraudulent messages attempting to trick them into giving out confidential information that fraudsters then use to take over their accounts.
In other cases, even just clicking on a fraudulent link in one of these texts can install malware on the person’s phone designed to enable fraudsters to gain control over the device and compromise sensitive information.
Smishing attacks are often used to bypass two-factor authentication by duping customers into handing over their strong authentication codes, effectively bypassing this security measure and allowing attackers to take over accounts or alter transactions.
As with all social engineering attacks, the human element makes it extremely hard for banks to detect since they allow attackers to impersonate customers.
Fraudsters targeted Bank of Ireland customers by inserting fraudulent texts into legitimate message threads between the bank and its customers.
The fraudulent message claimed that the customer’s card had been skimmed during a purchase or at an ATM and as a result had been deactivated. It asked customers to follow a link and input their card details to order a new one.
Believing the message to be legitimate, many customers followed the instructions and clicked on the link which transported them to a fake Bank of Ireland website, where they unknowingly handed over their ATM card details to cybercriminals.
Overall, it is believed these account take over cash out attacks netted over €800,000 stolen from up to 300 account holders. Individual customers claimed to lose as much as €20,000.
To prevent future smishing attacks and help its customers stay safe, the Bank of Ireland has launched an awareness campaign specifically around the threat of smishing and how to spot it.
For one, most people who use online banking services own a mobile phone and tend to be on them most of the time, providing fraudsters with a direct line to unsuspecting customers.
Mobile phones are also not typically what customers think of as likely threat vectors, they’re such a personal device that the idea a fraudster could drain your bank account from one is unthinkable.
Additionally, the pandemic has generated a greater reliance on our phones and the internet than ever before, which gives fraudsters a greater breadth of opportunity for social engineering campaigns.
The aforementioned attacks also highlight the fact that people are more likely to trust a text message over other forms of communications such as emails.
One reason for this is that there is now a high level of awareness around fraudulent email campaigns, including the risk of clicking on links in unsolicited emails.
People seem to be much less alert to the dangers of text messages, not least of all because fraudsters have managed to insert these texts into legitimate message threads with customers and their banks. It’s this level of sophistication that compelled the Bank of Ireland to launch an awareness campaign and reimburse its customers, thereby setting a precedent for the industry.
The concept of taking responsibility for losses due to fraud is a concept echoed by initiatives set up in several countries around the world to increase customer trust in banks, such as the Contingent Reimbursement Model in the UK.
This means not only do banks have an incentive to raise awareness around fraud, they also need to prioritize preventing fraud altogether, to avoid costly renumeration as well as the inevitable loss of customer trust – along with the associated brand damage associated with a publicized attack.
Detecting and preventing social engineering techniques such as smishing requires a unique approach. A requirement based on the fact that if successful, the perpetrator of a smishing attack will have a customer’s legitimate details to impersonate them and commit fraud. Traditional fraud detection methods are not able to easily identify these stolen credential-based impersonation attacks.
Behavioral biometrics is the most adept solution to preventing these types of impersonation-based fraud, because it doesn’t look at what is being entered, but how it is entered. If the actions of a customer don’t match their typical past actions when entering the same information – such as the rhythm and cadence of typing – fraud alerts are sent to the bank so it can take action.
Even if a smishing attack is successful, and the customer does hand over their legitimate details, analyzing the behavioral biometrics of the fraudster means the bank will be able to detect if there has been some kind of account takeover or customer manipulation, and stop the fraudulent transaction from taking place.
By building behavioral biometrics into their cybersecurity solutions, banks can detect anomalies in user behavior in real time, identifying those caused as a result of social engineering and flagging any suspicious behavior before any harm is done.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
