Introduction
In the recent past, cyberattacks have become more prevalent as a result of cybercriminals taking advantage of recent occurrences like the coronavirus pandemic, an increase in energy costs, and a general cost-of-living crisis. Scammers have increasingly concentrated on phone conversions (vishing) and text message (Smishing) attacks in response to the rapid rise in mobile users. According to recent statistics from the UK’s HM Revenue and Customs, citizens and companies in the country was the target of several cyberattacks by criminals who took advantage of the pandemic and all of its complications to make victims feel under time pressure to provide the necessary reaction (Sjouwerman, 2021). As of March and September 2020, there were close to 200K phone fraud reports and 59K smishing cases (Sjouwerman, (2021). Cyber-attackers have been recognized as targeting sensitive data, passwords, and payment card numbers to build profile information that will allow them to commit fraud, as was the case with Royal Mail, one of the enormous post and parcel companies worldwide. Following a substantial increase in the number of fraudulent Royal Mail text messages being sent out, the mail giant fell victim to Smishing. The clear scam text messages asked the recipient to click a malicious link to reschedule a package or pay additional charges (Marzouk, 2021). As the pandemic ensued, fraudsters could generate COVID-themed scams more appropriate for voice and text mediums, thereby heightening the traction of fraudulent activities in the country. Owing to the detrimental impact of such an event, it harnesses the need for raising awareness of vishing and Smishing, their impacts and more viable strategies being employed to protect the public and organizations against similar future attacks.
Anatomy of the Attack
The Cyber Kill Chain framework is essential in assessing and understanding a smishing and vishing attack by explaining the vulnerabilities used by attackers. The first phase is Reconnaissance, wherein a malicious party selects a target and investigates network flaws and vulnerabilities that can be exploited. The stage may entail locating possible targets, determining their vulnerabilities, establishing their connections and access information, examining existing entry points, and seeking out new ones (Straub, 2020). In general, the more information the attacker can obtain during this phase, the more complex and compelling the attack will be, thereby, the greater the possibility of success. In the case of the Royal Mail scam, the worldwide pandemic opened up several opportunities to harness cybercrime due to the internet shopping boom leading to the fake delivery of text messages. Due to the coronavirus strain and lockdown, the mailing company excepted a parcel-driven demand growth from the public. Consequently, this presented a significant entry point for the scammers to exploit the opportunity to undertake fraudulent activities.
The second stage is called weaponization, which begins after the attacker has gathered all pertinent data about possible targets, particularly vulnerabilities. The culmination of the attacker’s planning is the generation of malware that will be utilized against a designated target and take advantage of the vulnerability during this stage (Dargahi et al., 2019). Furthermore, if network administrators discover and shut down the attacker’s original point of entry, they may still be able to access the system through the back doors they put up. Cybercriminals devised fake Royal Mail text messages that would refer unsuspecting consumers to a fake website upon clicking a link. The scammers posing as authoritative figures and instilling a sense of urgency presented a point of intrusion.
The delivery stage is the subsequent step of the cyber kill chain framework, which entails infiltrating the designated target’s network and users. Delivery may entail sending text messages with malware attachments that entice individuals to click through with misleading subject lines, as in the case of the Royal mail scam. In order to deceive the victim into clicking a link, the scammer posed as the Royal Mail seeking payment and consumer details. The next step is the exploitation stage, in which attackers use the identified vulnerabilities in earlier phases to infiltrate a target’s network further and accomplish their goals. Cybercriminals frequently traverse networks laterally throughout this phase to reach their objectives through deception techniques (Straub, 2020). Consumers were lured into submitting payment information on a phoney Royal Mail website, which the scammers then utilized to steal money by clicking a malicious link. This occurred successfully because the victims believed the link was secure from a reputable organization.
The next step involves the installation of the malware, which is identified as the turning point of the cyberattack lifecycle. The scammers entered the victims’ systems when the customers unsuspectingly clicked the malicious link, enabling the attackers to assume control of their credentials. The scam texts posed specifically as Royal Mail, claiming the customers had to pay outstanding postage fees to receive a parcel or enter their credentials to rearrange the parcel deliveries. The subsequent phase is command and control, which allows the attacker to assume complete control of the target’s network. In this case, the attackers utilized the installed malware of the victims to gain access and control of their bank accounts (Cunningham, 2021). The malicious links allowed the scammers to achieve the last stage of Lockheed’s framework, which entails accomplishing their objectives. The fake Royal Mail texts hoaxed the consumers into inputting their personal and bank information allowing the scammers to carry out further fraud. Although the victims reported the incidents to the authorities, it was too late to gain a refund or access to the stolen cash. Still, the occurrence led to the ActionFraud alerting the public of the scamming scheme labelling it as “malicious mail”, and Royal Mail alerting citizens to be wary of ongoing fraudulent activities to safeguard themselves against the attack.
In light of the Royal Mail text scam, cyber attackers used the pandemic to carry out their fraudulent activities. Bearing that the lockdown would increase the reliance on parcels and deliveries, the attackers psychologically manipulated customers by creating a sense of need and urgency to pay outstanding fees to acquire their parcels. The surge in similar vishing and smishing attacks indicated the necessity for public awareness and viable strategies to avert future attacks.
Impacts
Smishing and vishing attacks have detrimental impacts on both consumers and organizations. The Royal Mail smishing scam adversely affected consumers hoaxed into clicking the attached malicious links as they lost their personal and bank credentials. Remarkably, the links directed the victims to a fake Royal Mail website that allowed the scammers to gain access and control of the victim’s bank accounts. Upon paying the outrageous parcel fee, the victims’ banks alerted them regarding multiple recurring direct debits for stores and mobile phone companies being made, cancelled debit cards and new account numbers being generated (Boyd, 2021). Consequently, this attack brought about massive inconvenience and loss for the victims.
Vishing and smishing attacks harness stolen credentials for the wrong purpose. For instance, the victims had to endure a series of cold calls from their banks regarding transferring their money to other unknown accounts, as unlimited withdrawals emanated from simple text messages. Moreover, in the middle of the subsequent pandemic, where cashless and card payments were the sole ideal option, the victims were plunged into a difficult situation (Boyd, 2021). The malware similarly allowed the scammers to utilize the contact information in future fraudulent undertakings. As such, the Royal Mail attack successfully ripped people out of their life savings, arousing guilt and fear and making it difficult for them to recover from the event.
Similarly, organizations face adverse impacts due to vishing and smishing attacks. Royal Mail experienced damage to its company image as several customers became wary and worried that they would fall as the next victim. Smishing attacks are more difficult to curb since messages are direct, personal, and safe compared to emails, making them more credible for conducting an untraceable and effective fraudulent activity (Kersley, 2021). Still, the increase of the smishing attacks linking the company brought about a loss of confidence and a lack of customer satisfaction in how the company was attempting to tackle the situation. Royal Mail similarly had to suspend delivery services for some time to control the cyberattack, which resulted in customer inconvenience due to the delays, loss of revenue and market share (Cunningham, 2021). To rectify the cyberattack, the company had to incur additional charges to set up better protective protocols in their systems. As such, the aforementioned detrimental impacts indicate the crucial need for incorporating suitable approaches to prevent future attacks.
Recommendations
The company must implement robust security measures to curb nefarious smishing and vishing threats. This may be done by implementing two-factor authentication to its full potential. By making it more difficult for attackers to access a victim’s stolen accounts, two-factor authentication provides an additional security measure to the authentication process. This is because, even if the victim’s password is compromised, it is insufficient to complete the authentication check. The attackers will still need login information to access the victim’s financial records even if the intended target is duped into clicking on the malicious link and their personal and financial credentials are obtained (Pranggono & Arabo, 2021). In order to secure the systems and prevent attackers from accessing user information to access bank and financial accounts, this still necessitates the usage of strong and distinctive passwords that are frequently changed. Similarly, the organization needs to update its devices constantly. Critical security updates and enhancements brought by software upgrades raise the bar for cybercriminals who might try to infiltrate their systems, thereby minimizing such attacks.
Customers and organizations alike should use cutting-edge spam filtering technologies. Such tools are essential for preventing spam emails, calls, and texts from reaching victims’ inboxes (Baykara & Gürel, 2018). Antispam filters prevent malicious messages from being sent, effectively stopping all efforts at cyberattacks. Additionally, many spam filters offer extra privacy features like password protection, which can help safeguard personal information and online security. Lastly, public education is essential for raising awareness and enabling people to distinguish between genuine and fraudulent messages, regardless of how compelling or from whom they are sent (Zwilling et al., 2022). Consumers must understand what to anticipate from the technologies and systems used by the company in the case of Smishing. The public should learn how to recognize strange behaviour and malicious through education acts. For instance, when the organization informs the public that delivery alerts are only issued via emails, consumers are less inclined to click a delivery alert they receive via text, regardless of how skillfully the scammer’s text is written.
Conclusion
In the UK, there has been a rapid increase in smishing and vishing attacks, with fraudsters devising new methodologies for scamming consumers. Royal Mail, a leading global parcel delivery giant, is an example of an organization that fell victim to such attacks in the form of a malicious smishing scheme. Posing as a reputable company, consumers were hoaxed into clicking a malicious link directing them to a website requesting their personal and financial credentials upon receiving a text message instructing them to pay an outstanding fee to obtain their deliveries. Consequently, these fraudulent smishing attacks had exacerbating effects on both consumers and Royal Mail, including a tainted company reputation, loss of confidence and customer satisfaction, decreased market share and reveText text messages and calls are regarded as personal, making them challenging to curb vishing and smishing attacks, necessitating companies to employ viable strategies to minimize such nefarious threats. Public education, two-factor authentication, spamming filters, and unique passwords effectively provide additional and advanced security, thereby minimizing future threats.
References
Baykara, M. and Gürel, Z.Z. (2018, March). Detection of phishing attacks. In 2018 6th International Symposium on Digital Forensic and Security (ISDFS) (pp. 1-5). IEEE.
Boyd, C. (2021). The human impact of a Royal Mail phishing scam, Malwarebytes. Available at: https://www.malwarebytes.com/blog/news/2021/03/the-human-impact-of-a-royal-mail-phishing-scam (Accessed: March 31, 2023).
Cunningham, A. (2021). What to look out for as Royal Mail customers targeted by the second scam, BerkshireLive. Available at: https://www.getreading.co.uk/news/reading-berkshire-news/royal-mail-customers-targeted-second-19982242 (Accessed: March 31, 2023).
Dargahi, T., Dehghantanha, A., Bahrami, P.N., Conti, M., Bianchi, G. and Benedetto, L. (2019). A Cyber-Kill-Chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques, 15, pp.277-305.
Kersley, A. (2021). The relentless rise of Royal Mail Text Message Scams, WIRED UK. Available at: https://www.wired.co.uk/article/royal-mail-text-message-scams (Accessed: March 31, 2023).
Marzouk, Z. (2021). Royal Mail-related phishing scams surge by 645%, IT PRO. IT Pro. Available at: https://www.itpro.co.uk/security/359176/645-increase-in-royal-mail-related-phishing-scams (Accessed: March 30, 2023).
Pranggono, B. and Arabo, A. (2021). COVID‐19 pandemic cybersecurity issues. Internet Technology Letters, 4(2), p.e247.
Sjouwerman, S. (2021). Phishing attacks in the UK rise by 73% during the pandemic months as vishing, and Smishing attacks also increased Blog. Knowbe4. Available at: https://blog.knowbe4.com/phishing-attacks-in-the-u.k.-rise-by-73-during-pandemic-months-as-vishing-and-smishing-attacks-also-increase (Accessed: March 30, 2023).
Straub, J. (2020, November). Modelling attack, defence and threat trees and the cyber kill chain, attack and stride frameworks as blackboard architecture networks. In 2020 IEEE International Conference on Smart Cloud (SmartCloud) (pp. 148-153). IEEE.
Zwilling, M., Klien, G., Lesjak, D., Wiechetek, Ł., Cetin, F. and Basim, H.N. (2022). Cyber security awareness, knowledge and behaviour: A comparative study. Journal of Computer Information Systems, 62(1), pp.82-97.