The message says your package has been delayed and please click on the link for more information. Clicking on the link might take you to a web page that asks for money (don’t give them any) or your credentials to log in (don’t give them your details) or worse, ask you to download an app – one that then infects your phone and sends the message out to all your contacts.
These scams aren’t new but they certainly have an immediacy given our current situation. I complained to my family last week that we’d need a second recycling bin for all the cardboard we’re getting delivered to the house – barely a day goes by where we don’t get two or three drop offs from one courier or another. Getting a message to say there’s a delay, or that the package will be delivered today, is nothing new which makes it doubly difficult to spot when it’s a fake.
There are a few things the telco industry can do to help. First of all, we share information about such things between ourselves, the Department of Internal Affairs (which has authority over the anti-spam laws in New Zealand) and CERT NZ, the government’s cyber response team. Knowing how widespread a problem is helps direct resources to fixing the problems that are most pressing.
We also work together to try to block the web addresses used in these attacks. If you can’t access the website listed, you can’t unwittingly hand over your personal details – so we try to track down the URL host and get them to take it down. This can happen immediately, but generally takes several days depending on how helpful the hosts want to be. We have good relations with partners overseas so work closely with them to block the sites as they pop up, but all too often the scammers use multiple sites and move swiftly to redirect traffic.
We can also, in a pinch, block numbers that are sending out the text messages. That works fine in theory, but in practice the bad guys use fake numbers or worse, as in this week’s example, real numbers that are owned and used by real people who have been infected by the malware.
The networks we use to communicate are highly secure from the handsets through to the cell towers and fibre networks we use right around the world. But the systems and processes on which most of our communications are based were built on a layer of trust – trust that you are who you claim to be, trust that you’re communicating legitimately, trust that you aren’t trying to steal money or identity or that the app you’re offering does what it says and not something else entirely. Whether it’s phone calls, text messages, emails, web addresses or apps, we’re trusting that when we click on something it’s going to do what it says and not something else entirely.
That means that ultimately, the power to manage your security rests in your hands. You’re the human firewall that has to assess and evaluate the risk versus the reward, whether clicking on that link makes sense or makes your Spidey-senses tingle.
If something doesn’t feel right, it probably isn’t. If you think “they’ve never done this before” then maybe there’s a reason. If in doubt, contact the provider by another channel (look up their phone number, send them an email, don’t rely on the links provided in the message in front of you) and see if it’s listed on the CERT NZ website.
If you do receive a text message that doesn’t appear legitimate, let the DIA know. Forward it on to 7726 and follow their guidance on how to handle it.
There’s no shame in being caught by these things. They’re cunning and designed to look like the real deal and it happens to all of us. But if we work together, we can stop them from spreading and stop them being effective and hopefully we can help make sure it doesn’t happen again.
By Paul Brislen, TCF CEO