The verification code SCAM
There has been a lot of recent news about cyber-attacks. Scammers, hackers, and other cyber-criminals attack corporations and cause huge losses of millions every day. Data breaches leave the personal information of a huge number of users exposed. Individuals suffer from identity theft. All of these are proof enough of how important security is for any website. While the people who make these attempts seem like they use state-of-the-art methods to execute them, most of the time they only need to target the weakest links in a corporation.
In most cases, the weakest link of a system is the human component. People can be manipulated, bribed, or blackmailed into giving away important information. The oldest trick in the scammer's book is to fool the victim into giving away important information. This is known as phishing and it is a threat as old as the internet.
While phishing is an extensive subject, today's article focuses on a modern approach. This is called the verification code scam. In its simplest form, this scam consists of a malicious party sending a code to a victim's cell phone. These codes usually come from services like Google, Facebook, Twitter, or Amazon. If the scammer gets access to it, they can act as if they were another person on these sites.
One example of this scam has to do with Google Voice, a US-based service that supplies virtual numbers. To create these, a user needs to provide their number. After putting their number in, the user receives a verification code to confirm their identity. Since this is the only confirmation needed, anyone who has the user's code can create a virtual number on their behalf.
This has become a common strategy in websites like Gumtree, Craigslist or Facebook Marketplace, because users make their cell phone numbers public. The scam starts when the perpetrator sends a code to the seller to confirm that "they are a real person". When the scammer receives the code, they use it to create a Google Voice virtual number. This way, they get a number that is linked with the victim's phone. Another awful situation arises when the scammer uses that code to reset the password on an email or in other accounts.
Another commonplace scam involves WhatsApp's six-digit verification. The victim receives a text message from WhatsApp containing an authentication code. The scammer then asks for that number, posing as a friend who accidentally sent it to the victim. When setting up a new account, WhatsApp will send a verification code to the user’s device. While this may be someone typing their number by mistake, it may also be someone who wants to register a device on their name. As WhatsApp states on their site, no one should ever share authentication codes with others. This is a good practice for all web services.
There is an older-fashioned style of scam where the victim receives a text from an unknown number. The message says that the receiver's number once belonged to the scammer and that they are trying to access an old account — often leaving the service unspecified. Again, this is usually a scammer who wants to create a virtual number on the victim’s behalf or even steal their passwords.
How to protect against SMS scams?
The SMS verification scam is one of the simplest ways of cyberattacks. Almost no technical knowledge is required to execute it. This means that it's easy to get fooled by it, but also that protective measures against it are surprisingly simple.
For example, a lot of websites have started implementing two-factor authentication. With this system, personal accounts are protected both with a password and with some phone-based verification. The use of SMS as an authentication factor has been criticized, as it's easy to misuse it. Because of this, alternative ways to get verification via phone have been developed. One great example is Google Authenticator, which implements one-time, time-based passwords.
However, not all web services support these authentication methods at the moment. Here are a few other methods to protect against SMS scams:
● While two-factor authentication is better than none, SMS verification using a personal number may not be the best option. That's why using a virtual UK phone number to verify online services is a great option.
● Never open any links sent by text messages. Often than not, if a user is requesting a verification code, they already have the webpage handy.
● Be aware of how scam messages look like. Having someone with horrendous grammar asking for a code is usually a red flag. Other scammers employ extremely polite messages.
● Never share verification codes with anyone.
The bottom line is that scammers and hackers often employ simple methods for their attacks. The best defense is to be mindful of them. While these seem so simple that nobody could fall for them, a scammer's strength comes from the ignorance of their victims. Stay informed, and educate others to prevent cyber-attacks!