Phishing links in the texts are also often shortened to disguise the actual URLs, which makes it hard for victims to check if the links are valid, said Mr Jonathan Jackson, cyber-security firm BlackBerry’s director of engineering for the Asia Pacific.
Furthermore, the links lead to fake sites that look genuine, allowing scammers to steal them from unsuspecting bank customers who key in their login details.
Changes in lifestyles could have played a part too.
For one, many people are used to living their lives on mobile devices, Mr Jackson said. But these devices are not usually equipped with programs that can alert or block malicious activities or when suspicious sites are visited.
Criminals can use malware they tricked victims into installing on their phones to steal one-time passwords (OTPs) and SMSes as well, said Mr Jackson.
With the fast pace of life, people tend not to heed prior warnings, he added.
Mr James Lee, cyber-security firm F5’s security solution architect for the Asia Pacific, China, and Japan, said that with Covid-19 “impacting the way we play and pay, many customers have had to turn to digital banking overnight – relying on SMS alerts for things like OTPs to authenticate transactions”.
The crooks are learning from their past mistakes to launch successful attacks, with campaigns by organised groups instead of individual hackers, he added.
For instance, the latest SMSes aimed at OCBC customers had fewer typographical errors, and used more professional sounding and less alarmist language than past scams. These made the fake texts seem more legitimate.
Another problem is that spoofing SMSes is very easy. Mr Jackson said that businesses may tap companies called SMS aggregators to generate SMSes to be sent to customers. But these aggregators can be misused by criminals to spoof names and numbers of legitimate organisations to send scam texts.
While an anti-SMS spoofing registry will help cut the volume of fake SMSes, Mr Jackson warned that recent studies in Australia and Britain showed that such registries are not foolproof.
“SMS technology is almost three decades old, and it wasn’t necessarily built with security, as we know it today, in mind,” he said. “Organisations need to move away from mobile platforms that do not come with anti-phishing in SMS applications.”