Text message phishing attacks have evolved over time with the advancement of security technology. OTP (One-time Password) is currently the most commonly used 2FA (Two-Factor Authentication) technique. Most banks and many retail websites now require that in addition to you logging in with a password, you are also required to enter a code that you receive via Text, through email or from an authenticator app. This makes text messaging a target for criminals as hacking for passwords no longer sufficient .
In this guide we will look at an example of how a phishing attack is executed through a text message. We will also look at what could happen to our data if the attack is successful and how we could have prevented this. More detailed information regarding phishing can be found on my other post titled “How Do I Overcome Phishing Attacks?”
You receive a text message from Gmail saying your password has expired and you will receive a password reset code which you need to forward to 85965 so that we can generate your password reset link. The text message is from the same number you have received Gmail verification codes from previously so you went ahead and forwarded to the number provided.
What is actually happening?
The text message you received was from a scammer who made you believe that your password has expired as you have not changed it in a long time. Once the scammer made you believe the text is genuine the scammer went to the Gmail website and clicked reset Gmail password, however he would not able to reset your password as you have two factor authentication enabled. This is why the scammer had asked you to forward the reset code to his number so that a password reset link can be sent. He then used the code you forwarded him to get through your two factor authentication. The text message looked like it had come from a genuine Gmail reset phone number but the scammer spoofed the phone number to make you believe you received the message from Gmail.
What will they do with my data?
The scammer now has access to all your emails and can now go ahead and reset the login of all accounts you had used this email to register with. This can include your bank accounts, shopping sites, social networks, etc. They could even use your email account to manipulate your friends and family for money or infect their computers with viruses as they may trust anything you send them.
What should I have done?
To begin with you should never share your authentication codes with anyone. If you need to reset your password you can always do it from the website of the provider. You could even change the 2FA from text message to an authentication app. This is known to be more secure and since you are not setup with text authentication any you text authentication message you receive you can confirm to be fake.