BSP: Beware of text hijacking

Project Agila, which will allow FIs to transfer funds to each other even during off-business hours, including evenings, weekends, and holidays.

The Bangko Sentral ng Pilipinas (BSP) is alerting the public to the threat of text hijacking, a technique employed by scammers to send fraudulent SMS messages that appear to come from trusted sources.

In an advisory, the BSP said text hijacking is a modus operandi where fraudsters insert themselves into legitimate text message conversations, making their messages appear safe by blending in with other messages from a trusted source.

This increases the effectiveness of the delivery of smishing attacks as they appear to be coming from a legitimate sender.

Fraudsters spoof the sender ID of financial institutions and send smishing messages containing malicious links, aiming to gain unauthorized access to financial accounts of their victims.​

Smishing is often defined as a form of phishing. This method uses social engineering to trick someone into revealing private information and the attack is executed using a text message.

How does text hijacking work?


A notable method for executing text hijacking involves the use of International Mobile Subscriber Identity (IMSI) catchers. These devices broadcast a stronger signal than nearby legitimate cellular towers, tricking mobile phones within a specific geographical area into connecting to them instead of the real network. 

Once connected, fraudsters can then send SMS or text messages with malicious content or phishing links to achieve their objectives, potentially compromising sensitive information.

READ ALSO: Cybercrime center: Report scams using eGov app

How can you protect yourself from text hijacking attacks?

Financial consumers are advised of the following:

1. NEVER click links in SMS messages even if they appear to be coming from your bank, e-money provider or financial institution;

2. ALWAYS scrutinize the messages you receive. Remember that banks/e-money issuers will NEVER ask you to click a link sent through email or SMS to execute transactions that you did not initiate. You may go directly to mobile or internet banking facilities for any transactions with your bank/e-money issuer; and​

3. REPORT any unusual transactions and/or activities involving your bank/e-money accounts to your bank/e-money provider immediately.

The BSP assures the public that the BSP, in collaboration with the BSP Supervised Financial Institutions (BSFIs) and key stakeholders, are already taking measures to address text hijacking concerns.​

READ MORE FINTECH NEWS.