The Bangko Sentral ng Pilipinas warns the public against text hijacking, a method to deliver smishing attacks wherein fraudsters use a named SMS Sender IDs to send malicious SMS (“texts”).
What is Text Hijacking?
Text Hijacking is a modus operandi where fraudsters insert themselves into legitimate text message conversations, making their messages appear safe by blending in with other messages from a trusted source.
This increases the effectiveness of the delivery of smishing attacks as they appear to be coming from a legitimate sender. Fraudsters spoof the sender ID of financial institutions and send smishing messages containing malicious links, aiming to gain unauthorized access to financial accounts of their victims.
How Does Text Hijacking Work?
A notable method for executing text hijacking involves the use of International Mobile Subscriber Identity (IMSI) catchers. These devices broadcast a stronger signal than nearby legitimate cellular towers, tricking mobile phones within a specific geographical area into connecting to them instead of the real network. Once connected, fraudsters can then send SMS or text messages with malicious content or phishing links to achieve their objectives, potentially compromising sensitive information.
How can you protect yourself from Text Hijacking attacks?
Financial consumers are advised of the following:
1. NEVER click links in SMS messages even if they appear to be coming from your bank, e-money provider or financial institution;
2. ALWAYS scrutinize the messages you receive. Remember that banks/e-money issuers will NEVER ask you to click a link sent through email or SMS to execute transactions that you did not initiate. You may go directly to mobile or internet banking facilities for any transactions with your bank/e-money issuer; and
3. REPORT any unusual transactions and/or activities involving your bank/e-money accounts to your bank/e-money provider immediately.
The BSP assures the public that the BSP, in collaboration with the BSP Supervised Financial Institutions (BSFIs) and key stakeholders, are already taking measures to address text hijacking concerns.