Week 26: New phishing variants via telephone and personalised text messages

05.07.2022 - At the NCSC, the number of reports received last week was significantly lower, which is mainly due to the decrease in fake extortion emails. Noticeable were phishing attempts in which no link was sent, but in which a callback was requested, as well as phishing text messages containing a personalised link that can be deactivated after use. The two different approaches show that attackers are willing to invest more time and effort in their phishing campaigns.

Phishing is usually a mass business. The attackers register a website that looks similar to that of a well-known company and then send the link to thousands of recipients. This is done in the hope that one or two people will respond and provide their details. In the last two weeks, several cases have been reported to the NCSC, showing that phishing attacks are becoming more targeted. The cybercriminals are making a much greater effort to obtain passwords and credit card details.

Phishing following a phone call

One example phishing attempt started with an email without a phishing link, but which had an invoice attached from a company, in this example a company supposedly from France called "Paiement Techmania LLC". The invoice claims that a payment of CHF 540 has been received for the renewal of an antivirus subscription. In case of problems with the payment, the recipient should call the telephone number given. Since the invoice is fictitious and they have therefore never transferred any money, it is very likely that they will call the number given in order to resolve the supposed error.

In this case, however, no one answered the phone. Instead, a few hours later, the victim's call was returned from a similar number. The caller stated that he would cancel the order and refund the money that had supposedly been paid. To this end, the purported seller sent an email, but this time with a link to a phishing website.

Email with link to a phishing page sent after the phone call from the fraudsters
Email with link to a phishing page sent after the phone call from the fraudsters

The attacker uses the phone call to try to build up additional trust and induce the victim to make an ill-considered move. The fraudulent link reaches only a limited number of people, as it only goes to people who have taken the invoice seriously and have called back. In this way, the attackers reduce the likelihood that the link will be quickly reported to the security authorities and the phishing site then taken down.

Phishing text messages with real names

The phishers also try to protect their phishing pages with another method. Here, the attackers use personalised links which can be deactivated after use – i.e. after the victim has clicked on the link.

Personalised text messages with a link to a phishing page
Personalised text messages with a link to a phishing page

Initially, in an text message containing a phishing link, the recipient is addressed with their correct name.

The phishing page is also personalised with the name and phone number
The phishing page is also personalised with the name and phone number

As soon as the victim clicks on the phishing link, they receive a personalised login screen showing the correct name and phone number. Interestingly, the next step is to provide the email address – which the phishers apparently do not have.

The "phished" person is asked to enter their email address (or the phone number again)
The "phished" person is asked to enter their email address (or the phone number again)

Only after entering the email address does the website appear where the credit card details are then phished.

It is not possible to assess whether the additional effort made by the phishers described here is actually worth it. However, the NCSC certainly tries to take such websites down as quickly as possible, thanks to the active help of those who report them.

  • Do not trust any unsolicited emails and text messages that you receive.
  • Do not allow yourself to be put under pressure and take enough time to clarify the matter.
  • When making enquiries, do not use the telephone number or email address in the message that you have received. Instead look for the number or email address on the company's official website.
  • Report phishing links directly to reports@antiphishing.ch or at www.antiphishing.ch. If you are unsure whether an email is a case of phishing, you can always forward it for analysis via the NCSC reporting form.

Last modification 05.07.2022

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_26.html