Introduction

For over five years, Macnica has been monitoring the efforts being made by telecommunications carriers to combat smishing. In this column, we will look into the rapid changes in smishing and introduce the progress being made by telecommunications carriers as they continue to discover and combat smishing together with various stakeholders.

What is SMS?

SMS is a basic function of mobile phones, and can be used from the day you purchase a mobile device without the need to install any apps. Since phone numbers are linked to their owners, there has been an increase in the number of cases in which companies use SMS to contact users, and the volume of SMS sent has also increased dramatically. SMS messages are used for a variety of purposes, including passwords for identity verification, surveys to improve services, and notifications.

Smishing takes advantage of the convenience of SMS

SMS is convenient because it does not require any app settings and can send messages directly to mobile phone numbers. In recent years, phishing scams, known as smishing, that exploit this convenience have been increasing rapidly.
Smishing is a combination of the words SMS and phishing, and refers to a method of misusing SMS to lure users to fake websites and steal their personal information. Many of you may have received a message like the one below. ^[1]

In order to make the SMS itself appear more trustworthy, there are many cases where real company names and brands are included in the message to make it appear as if the message is coming from that company.
Many of these messages tend to make the recipient feel anxious and want to check things immediately.
If you access the URL in the message (such as www.●●●●●.com), it will take you to a fake site that looks just like the real thing, and any personal information you enter there will be given directly to the attacker. Fake sites are so cleverly made that it is difficult to tell whether they are real or not.
In addition to personal information, users are prompted to enter other information such as IDs, passwords, phone numbers, bank account numbers, and credit card numbers (including security codes). This information is traded on the black market and is at risk of being used for fraudulent purposes. In some years, losses from stolen credit card numbers have amounted to 40 billion yen, and fraudulent transfers over the Internet have exceeded 8 billion yen.

Smishing techniques are becoming more sophisticated

Smishing methods have become more sophisticated these days.
For example, when accessing a URL in an SMS, a pop-up appears requesting an app update, and when you press "OK," malicious software that allows an attacker to remotely control your mobile phone is installed, and there are also increasing cases of people sending smishing messages to others without their knowledge. With this method, the sites you are directed to differ between iOS and Android, and there are cases where the site encourages you to install a malicious app and cases where the purpose is to steal your ID and password.

As a result, the number of infected devices with malicious apps installed in Japan is rapidly increasing, and the number of smishing messages being sent unintentionally is also increasing. This is why the damage caused by smishing is expanding.

Issues facing telecommunications carriers in taking measures against smishing

As the damage caused by smishing has become a social problem, discussions and debates have begun on what kind of effective measures can be introduced to reduce the number of people who fall victim to this smishing. In implementing these measures, one thing that must be taken into consideration is the "secrecy of communications." Being able to communicate in secrecy without anyone knowing the content of the communication, its existence, or the other party's facts is extremely important in terms of guaranteeing personal privacy and guaranteeing free means of communication. This is guaranteed in Article 21, paragraph 2 of the Constitution, where secrecy of communications is an essential right for individuals to live. Telecommunications carriers must comply with the "secrecy of communications" as stated in the Constitution.

To prevent smishing from being received on a device, carriers need to view the contents of SMS. However, without the user's consent, the contents of the message cannot be viewed, making it impossible to determine whether it is malicious or not. To solve this problem, systems have been launched that allow users to choose whether or not to allow carriers to view the contents of messages in order to identify smishing. If users want to prioritize the privacy of their communications, they can turn off the functions provided by carriers.

Overcoming barriers and starting to block smishing

Thus, after various adjustments, consideration of requirements, and preparation for operation, telecommunications carriers will begin offering spam SMS rejection settings services starting in July​ ​2022. Users can turn off the setting if they do not want to receive the service.

In addition to these blocking services, telecommunications carriers are also strengthening measures on the app side of mobile phone devices, and are continually disseminating and rolling out initiatives to prevent users from becoming victims of scams, such as issuing warnings on their respective websites and on X.​

Smishing continues to grow even after launch

Telecommunications companies want to prevent users from receiving SMS that could lead to fraud, but as the number of companies using SMS is increasing, they absolutely need to avoid situations where genuine messages sent by companies to users are mistakenly stopped, resulting in users not receiving messages that should be delivered. They are carefully examining the system and operations, paying close attention to ensure that the system is safe and secure and does not impede the operations of companies, and are working day and night to consider the issue.

The reality is that this problem is not so simple that the introduction of these systems will solve the problem 100 %. The methods of smishing itself are constantly updated on a daily basis (sometimes every few minutes), and a battle is ongoing. As mentioned at the beginning, smishing has become more serious, and even after the blocking of spam SMS began, various methods and techniques are being tried, placing an immeasurable burden on the telecommunications carriers.
Furthermore, the number of cases where users are prompted to download malicious apps onto their mobile phones is increasing, and the number of malware infections in which users are unknowingly complicit in smishing transmissions is rapidly increasing. The problem with malware infections is that users are both victims and perpetrators at the same time, and in many cases they are unaware of the infection themselves.

New measures to begin in summer 2024

To mitigate this new problem, carriers are considering measures and have announced that they will issue a "Notice regarding unintentional sending of spam messages" at the end of March​ ​2024​ ​^[2]. If a SMS containing a URL that leads to a dangerous site is found to have been sent, carriers will contact users and ask them to check whether they have installed any unfamiliar apps and to delete them. At this point, only one carrier has announced this, but it is expected that other carriers will take similar measures (as of June​ ​10, 2024).

The fight continues...

Thus, the fight against smishing is never-ending. Telecommunications companies are making efforts every day so that we users can live our social lives more safely and securely. Phished information leads to fraudulent remittances and black market transactions, and the personal information and credit card numbers that have been traded are used fraudulently on e-commerce sites, and then people are employed as illegal part-time workers to receive and resell goods, creating a vicious cycle. Telecommunications companies cannot prevent everything by simply blocking spam SMS. Therefore, efforts are being made to look at the overall picture of the crime ecomap, gather many stakeholders across industries, and build a cooperative system. Stakeholders will continue to study how to reduce and eliminate fraud damage.

For a detailed technical analysis of Smishing, please see our published report ^[3].

reference:
[1] https://www.macnica.co.jp/business/consulting/columns/141063/
[2] https://www.docomo.ne.jp/info/notice/page/240328_01.html
[3] https://www.macnica.co.jp/business/security/mnc/phishing_report_202207.pdf