Trend Report on Smishing – Q1 2024 Statistics and Analysis on Smishing Threats
Overview
AhnLab detects phishing messages based on machine learning and is conducting analysis and response work for them. This report contains an extensive analysis along with the statistics of smishing messages detected during the first quarter of 2024.
During this period, the number of certain types of phishing attacks such as those using the guise of false payments, government subsidies, and wedding invitations increased. On the other hand, other types including those impersonating credit card companies, institutions, funeral notices, family members, and delivery services saw a decrease in their numbers. Newly detected attack types include those impersonating the Korea Customs Service, using the guise of public offerings, and being disguised as Lunar New Year messages. It is worth noting that there were many phishing messages disguised as Lunar New Year events.
The phishing messages included in this analysis are all malicious messages detected and collected by AhnLab products during the aforementioned period. Phishing refers to attacks that attempt to unlawfully obtain sensitive information such as passwords and credit card information from people by pretending to be from generally trusted sources. Smishing attacks covered in this report are a type of phishing using SMS messages that have been rapidly increasing over the past few years.
Past phishing attacks usually involved text messages including website links to phishing sites, luring recipients to visit them. However, as people became more cautious about clicking URLs in messages, threat actors gradually began diversifying their tactics. Examining recent trends shows a marked increase in attempting to establish direct contact through phone numbers included in the text messages and then converting the attack to voice phishing. Even so, attacks using URLs comprised 54.2% in the smishing attack statistics for the first quarter, being the most common type of smishing attack. They are followed by approaches through calls, KakaoTalk, and SMS. This data implies that smishing attacks where the recipients are lured to click URLs are still the main threat, meaning users must be highly cautious of all attack types.
Analysis
Phishing Message Statistics in Q1 2024
The analysis of phishing messages collected during Q1 2024 is as follows. According to Figure 1, using the guise of Lunar New Year messages was the most prominent out of the various types of smishing attacks (22.8%), followed by impersonation of credit card companies (17.2%) and impersonation of institutes (12.4%) in the descending order. Other types included using the guise of funeral notices (11.9%), public offerings (9.2%), short-term part-time work (8.9%), payment notices (6.0%), government subsidy-related details (5.7%), family members (4.9%), wedding invitations (0.7%), and parcel services (0.3%) in the descending order.
Types that showed an increase in comparison to Q4 2023 are those disguised as fake payment notices, using the guise of government subsidies, and disguised as wedding invitations, which increased by 18%, 102%, and 313% respectively. On the other hand, those disguised as funeral notices (decreased by 10%), impersonating organizations (decreased by 17%), masquerading as family members (decreased by 23%), impersonating credit card companies (decreased by 26%), using the guise of short-term part-time work (decreased by 43%), and impersonating parcel services (decreased by 69%) all saw decreases in their percentages. In addition to the changes in percentages, those impersonating the Korea Customs Service, using the guise of public offerings, and disguised with Lunar New Year-related events were newly observed.
Figure 1. Phishing message statistics by type in Q1 2024
Phishing messages using the guise of Lunar New Year messages use fake notices about winning events and lure the recipients into clicking the URLs in the messages, attempting to steal personal and financial information. Messages impersonating credit card companies use the issuing of credit cards or payment approval details to induce the recipients to call the fake customer service center, which is redirected to the voice phishing group that attempts to steal information. Messages impersonating institutions make it seem as if they are sent from actual public organizations, leading the recipients to phishing websites or attempting to steal personal information. Messages using the guise of obituary notices ask the recipients to participate in the funeral, luring them to click the URLs and also attempt to steal information. Messages disguised with public offering-related details offer pre-listing stocks at low prices and lure the recipients into fraudulent websites that prompt them to deposit cash. Messages using the guise of short-term part-time work promise high profits and lead the recipients to initiate contact over messaging apps such as KakaoTalk to deceive them. Messages disguised as fake payment notices use false payment alerts to lure the recipients into calling the fake customer service center. Messages disguised with government subsidy-related details ask the recipients to call or add a KakaoTalk friend for reasons such as granting a loan. Messages impersonating family members ask for personal data or induce the recipients to install a remote control app. Messages disguised as wedding invitations are made to look like mobile invitations. Those impersonating parcel services use the guise of failed delivery notices to lure the recipients into phishing websites or KakaoTalk channels.
An analysis of phishing messages collected during the first quarter of 2024 shows the distribution of phishing attacks for each industry (see Table 1). The financial industry had the highest share at 43.8%, followed by attacks impersonating institutes at 16.9% and attacks masquerading as convenience stores at 15.6% in the descending order. In particular, a large number of smishing attacks involving the CU convenience store targeting the Lunar New Year occurred, bringing the convenience store industry sector to the top of the rankings.
|
|
Industry |
Percentage |
|
1 |
Finance |
43.8% |
|
2 |
Institutions |
16.9% |
|
3 |
Convenience store |
15.6% |
|
4 |
Shopping mall |
0.8% |
|
5 |
Parcel service |
0.3% |
|
6 |
Others |
22.5% |
Table 1. Phishing message statistics by industry in Q1 2024
A close examination of the financial sector reveals that Kookmin Card was the most impersonated at 34.8%, followed by K Bank and Shinhan Card at 28.1% and 5.4% respectively. Cases of smishing involving K Bank were listed high on the ranking in the financial sector due to attacks using the guise of Lunar New Year events.
|
|
Company |
Percentage |
|
1 |
Kookmin Card |
34.8% |
|
2 |
K Bank |
28.1% |
|
3 |
Shinhan Card |
5.4% |
|
4 |
Samsung Card |
5.1% |
|
5 |
BC Card |
1.7% |
|
6 |
Woori Card |
1.3% |
|
7 |
Hana Card |
0.5% |
|
8 |
Lotte Card |
0.4% |
|
9 |
Shinhan Bank |
0.3% |
|
10 |
Nonghyup Bank |
0.2% |
|
11 |
Kookmin Bank |
0.2% |
|
12 |
Standard Chartered Bank Korea |
0.1% |
|
13 |
KakaoBank |
0.1% |
|
14 |
Others |
20.3% |
Table 2. Phishing message statistics by financial company in Q1 2024
Out of smishing activities using the guise of Korean government organizations, those impersonating the National Police Agency comprised 40.7%, the National Health Insurance Service 38.7%, and the Korea Customs Service 12.4%, each taking up a large share. This data shows that attacks impersonating the National Police Agency and the National Health Insurance Service are being frequently launched.
|
|
Institution |
Percentage |
|
1 |
National Police Agency |
40.7% |
|
2 |
National Health Insurance Service |
38.7% |
|
3 |
Korea Customs Service |
12.4% |
|
4 |
Korea Environment Corporation |
8.3% |
Table 3. Phishing message statistics by institution in Q1 2024
An analysis of the convenience store industry revealed that smishing attacks involving CU convenience stores during the Lunar New Year period made up 100%. This data shows that the threat actors are responding quickly to smishing attacks related to seasonal events.
|
|
Convenience Store |
Percentage |
|
1 |
CU |
100% |
Table 4. Phishing message statistics by convenience store in Q1 2024
An examination of the logistics sector shows that CJ Logistics comprised 38.0%, Logen 16.3%, and Hanjin 11.1% at the top of the rankings. This data shows that the threat actors are using widely known delivery service brands to conduct fraudulent activities.
|
|
Delivery Service |
Percentage |
|
1 |
CJ Logistics |
38.0% |
|
2 |
Logen |
16.3% |
|
3 |
Hanjin |
11.1% |
|
4 |
Lotte Global Logistics |
3.8% |
|
5 |
Korea Postal Service |
2.9% |
|
7 |
Others |
27.9% |
Table 5. Phishing message statistics by delivery service in Q1 2024
Finally, an analysis of phishing methods revealed attacks using URLs to be the most prominent at 54.2%, followed by phone calls at 24.7%, KakaoTalk at 15.0%, and SMS at 3.0% in the descending order. This data implies that smishing attacks using URLs are the majority.
|
|
Phishing Method |
Percentage |
|
1 |
URL |
54.2% |
|
2 |
Phone calls |
24.7% |
|
3 |
KakaoTalk |
15.0% |
|
4 |
SMS |
3.0% |
|
5 |
Others |
3.1% |
Table 6. Phishing method statistics in Q1 2024
