Smishing New Year Campaign

Steve
2 min readJan 3, 2023

--

No sooner does the new year start, new smishing, or SMS phishing, campaigns begin. Look out for these imposters claiming to be from Bank of America (or any other relevant bank).

SMS received claiming unusual activity.

There’s a few signs that indicate this is fake.

  1. I would assume Bank of America woud be more explicit with the specific account had the fradulent activity.
  2. This message directs the recipient to a website instead of instructing the user to call their security center.
  3. The message explicitly states (all to generically) the ATM/Debit/Credit Card linked to this account can’t be used until your information is verified. Again, reread #1 above. Additionally, you shouldn’t have to verify your information to Bank of America. Rather, just confirm or deny if the transaction(s) are legit.

Analyzing the link in the SMS message, the bit.do shortned url is redirected to the domain ddns[.]net/. Now, if this was a legit message from Bank of America, why would they direct their customers to a non-Bank of America domain?

Analysis of the link received via SMS

There’s a few ways to verify if this message is legit:

  1. DO NOT CLICK THE LINK CONTAINED IN THE SMS MESSAGE. This is a surefire way for the bad guys to know you’ve received the message AND are that much closer to stealing your information.
  2. Log into your account from a trusted link or the mobile app.
  3. Call customer service via the phone number on the back of your credit or debit card.
  4. Once in your account via a trusted link or connected to a Bank Agent, explain the situation and have them confirm that this is a fake message. Review your account transactions to verify your account was not compromised.

Finally, mark the message as spam and delete it from your phone. Also, verify you have multi-factor (or two-factor) authentication enabled on your account to prevent unauthorized access via the mobile app or website.

While this article focused on Bank of America, these steps can be applied to any bank or unsolicited message (email, SMS, MMS, etc.).

--

--

Steve

Cybersecurity evangelist and cybercrime investigator who has investigated over thousands of events with ransomware, insider threat, and regulatory inquiries.