Written by Tim Callan, Chief Compliance Officer at Sectigo
While COVID-19 has plagued the UK for over a year now, another lesser-known epidemic has swept its way across the nation: the fraud epidemic. One of its main symptoms comes in the form of fraudulent texts claiming to be from Royal Mail, or other courier firms, asking for a small fee before a parcel can be delivered.
These texts, from SMS to emails, hinge on the premise that the recipient has an unclaimed parcel and needs to pay a small amount to retrieve it. The texts usually include links to webpages that ask for payment details and other personal information, although some simply ask the user to click to be taken through to a form where they “accept the parcel”.
Then, fraudsters use this information to set up accounts or payments in the victim’s name, or to start more elaborate social engineering cons where they pose as bank employees and talk the victim into moving money to an account they control.
While scams making use of delivery firms’ names are nothing new, in latter years the online shopping boom, mixed with confusion over new Brexit-related shipping fees have given fraudsters a far bigger pool of victims. With different forms of cybercrime coming from all angles at the moment, it can seem like an impossible job to stem the tide of rising threats. However, when it comes to the fake text epidemic, a concerted focus on strong digital identity may be the right way to fight back.
Identity is key
The rise in fake delivery texts has arisen for a number of reasons. For instance, the myriad of data breaches in the last couple of years have landed billions of our phone numbers in the hands of scammers.
There is also a weakness present in a variety of our day-to-day communication systems. Unfortunately, in any system without authentication or trusted identities, sender information can be easily spoofed. And, with zero consequence to criminals and little recourse to report it, people are sitting ducks for attacks.
In our increasingly connected world, trust is crucial at every step of the way in communication systems. Currently, any attacker can pose as DPD or The Royal Mail and individuals would be none the wiser. While there are a number of candidates for achieving these levels of trusted identity – the main one is PKI (Public Key Infrastructure) technology.
PKI: The holy grail of web security
PKI is a set of roles, policies, hardware, software, and procedures used to create, manage digital certificates, and manage public-key encryption. These certificates assess the identity of machine or human contacts by encrypting communication behind hugely complex cryptographic algorithms that only verified users can break through. Use of PKI is already widespread, as it is deployed to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email.
PKI is generally required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred. As of yet, PKI doesn’t apply to mobile phone numbers – allowing bad actors to target individuals as often as they like. However, this may be about to change.
Light on the horizon
As it stands, there is nothing to stop the epidemic of fake texts continuing to flood our inboxes. However, the ITU-T, a UN agency responsible for the rules governing every telephone network in the world, has been working on a PKI standard titled SHAKEN/STIR, a suite of protocols and procedures intended to combat caller ID spoofing. And, just like the Bond reference it derives its name from, if the standard becomes reality, we may be able to stop the bad actors in their tracks. Once the suite of protocols is extended to phone number authentication, , it will be possible to have fully authenticated caller ID numbers, the same way websites display SSL certificates to confirm authenticity.
Through encryption and decryption, PKI creates digital certificates that verify the identity of the machines or users – which will be extended to phone numbers, creating a verifiable identity for every phone number on the planet. In this way, users will be alerted to which numbers legitimately belong to Royal Mail or another delivery provider, and will see a visible sign when the assumed identity is fake, therefore knowing when to follow the link and when to delete the message and report it as spam.
Ultimately, users should remain vigilant for further, more sophisticated social engineering attacks, which pray on their good faith. Yet that is not the end of it: organisations routinely abused by cybercriminals and conmen during the fraud epidemic, such as the mobile network providers, should take part in the due diligence necessary to safeguard users and disrupt hostile initiatives.