SMS phishing - a cautionary tale

SMS phishing - a cautionary tale

Will Moore by Will Moore on

Scams that try to extract personal information via phishing sites, phone calls, or SMS are on the rise. It’s something we covered in detail in What is phishing, and how can you protect yourself?

As someone who works for 1Password, security is a big focus of mine. I’m happy to admit that this job has made me far more paranoid than I used to be, and naturally I use 1Password to make sure all my passwords are strong, unique, and have never been included in any breach. I’ve read our internal security guide many times over, and I took part in a company-wide security training session just recently at our annual company get-together.

You’d think all this preparation would keep me safe from phishing – but last week, I was nearly caught by an SMS phishing attempt. If I can be caught out, so can you, and so I write this post in the hope that my experience will encourage others to be cautious.

The perfect time and place

In January, the 1Password team got together in Florida for our annual AGConf, and I was waiting in Miami airport for my flight home when the perfect storm of events began to occur.

I went to the store for some water and a packet of cinnamon Altoids (you can’t get them in 🇨🇦) and weirdly my Scotiabank Amex card was declined. I tried my MasterCard and same thing – no dice.

Resigning myself to being dehydrated and not having spicy cinnamon candy for the journey, I gave up and boarded my flight, planning on calling my bank when I got home.

I reconnected my cell phone when I landed in Toronto and the usual flood of notifications came in. One of these was an SMS from my bank.

fraudulent sms image

In my tired state I clicked the link without thinking. My card had been blocked, so a message was expected – the timing was perfect. As I hit the website on my phone, I remembered the security training we’d completed the week before and began to question what I was seeing.

fraudulent website image

I went back to the SMS. Let’s list the errors there:

  1. Last time I checked, Scotiabank wasn’t spelled with a 0 (SC0TIABANK)
  2. My “client card”? That’s a weird way of saying it…
  3. 4536 is quoted. The first 4 numbers of a card are public knowledge.
  4. Hang on a minute… is a subdomain, not the actual domain!

There were even more clues on the webpage:

  1. The biggest one is the lack of padlock in the address bar. This indicates that the site isn’t using SSL to encrypt the connection – that’s a big no-no for a bank.
  2. That Online Security Guarantee is very badly designed. Not sure the real Scotiabank would let that slide.

I closed the page, thankful that I hadn’t provided any personal information, but concerned that I’d so nearly given someone access to all my bank accounts.

Lesson learned

Everyone is vulnerable – whether you’re an expert or have no security background at all. If the conditions are right, you can be caught out.

I was just the right level of distracted and tired that I nearly fell for this, and by total chance the timing of the message was perfect for my circumstance. Suffice it to say, I will be even more paranoid from now on, and I hope you will be too!

If you’re using 1Password already and want to improve your personal security, running a Watchtower report is a great place to start. You can also keep your credit cards in 1Password, and a great tip that I got from a colleague is to add the emergency number on the back of the card to the item in 1Password – that way, if your card is lost, you can still easily cancel it.

Will Moore

Not using 1Password yet?

Increase your personal security by starting a 1Password membership today.
Get 14 days FREE

Design & Web Lead

Will Moore - Design & Web Lead Will Moore - Design & Web Lead

Tweet about this post