The Bangko Sentral ng Pilipinas (BSP) on Wednesday, Dec. 17, warned the public against text hijacking, a method to deliver smishing attacks wherein fraudsters use named SMS Sender IDs to send malicious or fraudulent SMS.
Text hijacking is a modus operandi where fraudsters insert themselves into legitimate text message conversations, making their messages appear safe by blending in with other messages from a trusted source.
This increases the effectiveness of the delivery of smishing attacks as they appear to be coming from a legitimate sender.
Fraudsters spoof the sender ID of financial institutions and send smishing messages containing malicious links, aiming to gain unauthorized access to financial accounts of their victims.
A notable method for executing text hijacking involves the use of International Mobile Subscriber Identity (IMSI) catchers.
These devices broadcast a stronger signal than nearby legitimate cellular towers, tricking mobile phones within a specific geographical area into connecting to them instead of the real network.
Once connected, fraudsters can then send SMS or text messages with malicious content or phishing links to achieve their objectives, potentially compromising sensitive information.
The BSP advised consumers of the following:
- Never click links in SMS messages even if they appear to be coming from your bank, e-money provider or financial institution;
- Always scrutinize the messages you receive. Remember that banks/e-money issuers will never ask you to click a link sent through email or SMS to execute transactions that you did not initiate. You may go directly to mobile or internet banking facilities for any transactions with your bank/e-money issuer; and
- Report any unusual transactions and/or activities involving your bank/e-money accounts to your bank/e-money provider immediately.
The BSP said it is collaborating with BSP Supervised Financial Institutions (BSFIs) and key stakeholders to address text hijacking concerns.