Why fake parcel delivery texts are the top SMS phishing scams in the UK

15.05 billion parcel deliveries were completed worldwide in 2020. Criminals impersonate parcel delivery companies more than any other industry sector because they know hundreds of millions of people around the world are waiting for a delivery at any given time. It’s a numbers game. More deliveries = more “conversions”.

Cybercriminals (social engineers) also know how to create campaigns that are better than parcel delivery companies. Brands need help with their marketing campaigns and text alerts because many of them look more suspicious than phishing messages. This won’t stop phishing but it would make life a tiny bit harder for threat actors.

Our landscape changed

Cybercriminals immediately spotted a new and bigger opportunity while our landscape was changing throughout 2020. They realized everyone around the world was hooked to their phones, waiting for COVID updates/notifications, and SMS updates from parcel delivery companies.

While 2020 saw a massive rise in phishing attacks via SMS, mobile operators were helpless to do anything to stop them. All they could do was advise their subscribers and business customers to “avoid links from people they don’t know” — despite the fact that every dangerous message and link is made to look like it comes from someone they know — the very definition of phishing. This is like handing sweets to millions of children while advising them to avoid sugar.

Why criminals favor SMS?

Click here to see the above image full size on Imgur. Feel free to save and share with colleagues to help them better understand how this all works.

  1. SMS has a 99% delivery rate within 3 seconds.
  2. Security controls must be able to inspect and evaluate URLs in less than 1 second to avoid latency and concatenation issues. Classifying dangerous URLs after their 1-to-3 second journey is useless because they’re already in everyone’s inbox.
  3. SMS has a 95% open rate.
  4. Everyone who’s likely to “tap-and-download” will do so within the first 15 minutes. Security doesn’t have up to 15 minutes to block dangerous URLs because they’re already inside everyone’s message on their handset.
  5. SMS has zero cybersecurity.
  6. It’s fast, cheap, and easy to broadcast massive phishing campaigns using a web service that sits on top of a SIM bank.

I’ve written a detailed LinkedIn article comparing SMS with Email phishing here.

Lack of cybersecurity in more detail

The cybersecurity industry hasn’t created a category for SMS yet. Irrespective of industry, incumbent vendors wait for markets to mature before investing in the build and iteration of new products and services. This should be obvious by the fact MetaCert is the first and only cybersecurity company in the world to offer an SMS security solution for operators — despite the fact that the entire world is inundated with SMS scams every hour.

Gartner and Forrester haven’t published anything about “SMS Security” yet. This will likely change in 2022 because it takes them a few years to catchup with new security threats and available solutions from new vendors. Gartner is unable to create a magic quadrant until it’s possible to include their clients.

FluBot is changing everything

Mobile operators with infected handsets on their network are most likely to invest meaningful time and effort to address SMS phishing. Identity theft and fraud is a subscriber problem — at least that’s how operators perceive it.

Why SMS Firewalls are not the answer for SMS phishing

Operators along with thousands of SMS vendors around the world generate many billions of dollars from SMS traffic every year. Whenever brands and banks use a legitimate web-based service like Twilio or Sinch for SMS campaign management and alerts, every operator and all their SMS stakeholders earn revenue from every message. Some might earn something like $0.0001 for every message that goes through their network/system. As you can imagine, this is vital revenue to protect.

Many SMEs and some major brands however, opt for a cheaper way to send SMS messages to their customers. They probably don’t know this, but they break the terms of service with operators because they use banks of SIM cards that have unlimited data tariffs. While the service provider might charge a tiny fee for each message, nobody else gets paid a penny. That’s upsetting for operators.

To reduce the risk of their infrastructure being used to broadcast millions/billions of messages for free, operators integrate an “SMS Firewall”. SMS Firewalls are not cybersecurity solutions designed to protect subscribers. They’re designed to protect SMS revenue by detecting “how” messages are being sent. They also have a little AI to determine message content, so they can block unsolicited sales and marketing messages — similar to how email spam filters block unsolicited emails that are annoying.

SMS firewalls are now adding AI/ML and regex for URL-based pattern detection and recognition in the hope they can protect subscribers from phishing attacks. MetaCert uses these tools and techniques, but only as part of a bigger solution on our backend — representing less than 0.5% of our tech stack. So I’m confused by what they think is possible without classification data. SMS Firewall vendors don’t know what they don’t know, leading operators to place misguided trust in what they’re being told is possible.

Why AI can’t stop SMS phishing

Artificial intelligence (AI) can’t exist without machine learning (ML). ML can’t exist without massive data sets. Therefore, it’s impossible to have AI without data. This means it’s impossible to use AI for URL recognition without classification data.

De ja vu

Today, MetaCert is the only company in the world with a security service that’s designed for SMS.

A new cybersecurity category for SMS is born

Please allow me to lend credibility to my assertions around the need for a security category for SMS.

Smartphones

When MetaCert pioneered the very first URL-based security service for smartphones, no other vendor offered a solution. It took at least 2 years for a second vendor to offer any kind of solution.

Mobile apps

When MetaCert pioneered the first (patented) URL-based security service for mobile apps, few knew what a WebView was and security researchers later cited my blog posts without attribution in their keynote presentations at cybersecurity conferences. No other vendor offered a solution. It took at least 2 years after MetaCert entered the market, for the second vendor to offer any kind of solution.

Team collaboration & messaging services

When MetaCert pioneered the first security service for Slack, Skype, Messenger and Telegram, Gartner analysts didn’t show any interest and big security vendors said these channels wouldn’t be a security threat. No other vendor offered a solution. It took at least 2 years after MetaCert entered the market, for the second vendor to offer a security service for team collaboration and messaging services.

Today, it’s obvious to everyone, why we need security for smartphones, apps, team collaboration, and messaging services.

SMS

Today, SMS is the latest channel to be targeted by criminals and again, MetaCert is the first to pioneer the first security service. Today, no other security vendor is offering a solution. Again, SMS firewalls don’t count, which is why we’re building a reseller program to make it easy for them to resell MetaCert.

A few more articles you might find interesting

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.