Trend Report on Smishing – Q4 2023 Statistics and Analysis on Smishing Threats
01. Overview
AhnLab analyzes and responds to phishing messages detected based on machine-learning. This report provides an extensive analysis along with the statistics of smishing messages discovered during the fourth quarter of 2023.
In the fourth quarter of 2023, there was an increase in specific types of attacks such as part-time job scams, government impersonation scams, and financial services scams, while other types such as government grant scams, family emergency imposter scams, and parcel delivery scams showed a decreasing trend. In particular, a new form of attack that impersonates credit card companies was detected.
Analyzing the main trends of smishing attacks throughout the year 2023, it reveals that parcel delivery scams and job scams were particularly prominent. In the early part of the year, there were many parcel delivery scams, but as the year progressed, the number decreased. In contrast, job scams were relatively low in the early months, but they surged after June, becoming the most common type of attack. Some phishing messages were sent reflecting social issues, including phishing attacks impersonating the National Tax Service during the year-end tax settlement period. Especially noteworthy is the increase in phishing messages disguised as funeral notifications following the Seo2 elementary school incident. Additionally, phishing messages impersonating Golfzon were sent out intensively for a brief time during a period when Golfzon’s services were facing technical issues. These cases demonstrate that threat actors swiftly identify social issues and adopt attack strategies exploiting them.
The phishing messages analyzed in this report are exclusively the malicious messages detected and collected during the relevant period of time and sent to mobile environments using AhnLab products. Generally, phishing refers to attacks that disguise as trusted sources via email or messenger platforms to illegally obtain confidential information. The smishing addressed in this report is a form of phishing that utilizes text messages, which has been increasingly prevalent in recent times.
This report categorizes phishing messages by intent and provides statistics on the percentage of each type. Additionally, it will cover the composition and inducement methods of each phishing message.
02. Analysis
Phishing Message Statistics in Q4 2023
The analysis of phishing messages collected during the fourth quarter of 2023 reveals the following distribution of types, as shown in Figure 1: job scams (61.2%), credit card scams (17.6%), government imposter scams (7.0%), funeral notification scams (4.8%), family emergency imposter scams (3.9%), financial services scams (2.7%), government grant scams (1.6%), and parcel delivery scams (1.1%) in descending order of prevalence.
In comparison to the third quarter, phishing messages involving job scams, government imposter scams, financial services scams, and funeral notification scams have increased by 17%, 45%, 105%, 8%, and 560% respectively. On the other hand, there has been a decrease in phishing messages involving family emergency imposter scams, government grant scams, and parcel delivery scams by 19%, 29% and 55% respectively. Additionally, messages impersonating credit card companies have been newly included in the statistics.
Figure 1. Phishing message statistics by type in Q4 2023
Phishing messages disguised as job scams aim to deceive individuals by suggesting that they can easily earn a substantial income from home. The messages prompt recipients to contact the sender via KakaoTalk with the intention of engaging them in fraudulent schemes. Phishing messages from credit card scams aim to induce users to call voice phishing companies disguised as customer centers, using content such as new card issuance or card payment approval, in order to steal personal and financial information. Messages from government imposter scams, pretending to be institutions such as the National Police Agency, the National Health Insurance Service, or the Prosecutor’s Office, contain text that claims the reception of a report that needs verification. The goal is to lure individuals to phishing sites where their personal information is ultimately stolen. Phishing messages from funeral notification scams request attendance at a memorial service and prompt recipients to click on URLs within the message to steal personal and financial information. Phishing messages from family emergency imposter scams involve pretending to be a family member and engaging in text conversations on the pretext of smartphone malfunctions. During these interactions, individuals are prompted to install remote control apps or have their personal information compromised. Phishing messages from financial services scams send out genuine-looking payment messages to induce recipients into calling a company that is pretending to be a customer support center. The intention is to exfiltrate personal and financial information. The goal of phishing messages from government grant scams is to induce recipients to call a phone number or add a KakaoTalk friend under the pretext of selecting favorable loan terms. Its ultimate goal is to steal personal and financial information through data theft or voice phishing. Messages from parcel delivery scams lead recipients to phishing sites or KakaoTalk channels under the pretext of a failed delivery. These phishing messages aim to steal personal information or encourage the installation of malicious apps. Other phishing messages include deception related to wedding invitation, Telegram, and Golfzon. Detailed information can be found in the detailed descriptions of each type.
The analysis of phishing messages collected during the fourth quarter of 2023, as depicted in Table 1, reveals that the targeted industries in phishing messages are shopping malls (34.2%), finance (20.2%), and institutions (7.4%) in descending order. In particular, the aggregation of numerous job scams that used shopping malls has resulted in a high percentage for the shopping mall industry.
|
|
Industry |
Ratio |
|
1 |
Shopping malls |
34.2% |
|
2 |
Finance |
20.2% |
|
3 |
Institutions |
7.4% |
|
4 |
Logistics |
1.2% |
|
5 |
Others |
37.0% |
Table 1. Ratio of industries featured in phishing messages in Q4 2023
The analysis of each industry sector yields the following results. In the case of shopping malls, they are primarily targeted in job scams. It appears that threat actors are more likely to use temporarily created shopping mall sites rather than impersonating specific institutions.
Analyzing the financial industry, phishing messages from government grant scams, credit card scams, and financial services scams are predominantly observed. As shown in Table 2, Kookmin Card (22.6%), Samsung Card (17.7%), and Woori Card (16.1%) are the most frequently identified. In the fourth quarter, the detection of phishing messages impersonating credit card companies surged, leading to a sharp increase in the proportion of credit card scams. It appears that threat actors are sending more phishing messages impersonating credit card companies than banks.
|
|
Industry |
Ratio |
|
1 |
Kookmin Card |
22.6% |
|
2 |
Samsung Card |
17.7% |
|
3 |
Woori Card |
16.1% |
|
4 |
Lotte Card |
10.3% |
|
5 |
Shinhan Card |
7.8% |
|
6 |
BC Card |
3.8% |
|
7 |
Hyundai Card |
1.6% |
|
8 |
Hana Card |
1.3% |
|
9 |
Nonghyup Bank |
0.6% |
|
10 |
Shinhan Bank |
0.5% |
|
11 |
Kookmin Bank |
0.3% |
|
12 |
Others |
17.4% |
Table 2. Ratio of financial companies featured in finance-related phishing messages in Q4 2023
Analyzing the government entities, it is revealed that phishing messages often impersonate institutions. As shown in Table 3, the top institutions are the National Health Insurance Service (89.5%), the National Police Agency (6.5%), and the National Pension Service (3.2%). These statistics indicate that in the fourth quarter, there were many attacks using phishing messages related to health checkups using the National Health Insurance Service.
|
|
Institutions |
Ratio |
|
1 |
National Health Insurance Service |
89.5% |
|
2 |
National Police Agency |
6.5% |
|
3 |
National Pension Service |
3.2% |
|
4 |
Korea Environment Corporation |
0.6% |
|
5 |
National Tax Service |
0.1% |
Table 3. Ratio of government entities featured in institute-related phishing messages in Q4 2023
Analyzing the logistics industry, it is evident that phishing messages often impersonate parcel delivery services. As shown in Table 4, CJ Logistics (55.4%), LOTTE Global Logistics (13.9%), and Hanjin Logistics Corporation (13.3%) are the most frequently identified when it comes to parcel delivery scams. These statistics highlight that threat actors often disguise phishing messages by impersonating parcel delivery services commonly used by people.
|
|
Industry |
Ratio |
|
1 |
CJ Logistics |
55.4% |
|
2 |
LOTTE Global Logistics |
13.9% |
|
3 |
Hanjin Logistics Corporation |
13.3% |
|
4 |
Coupang |
8.5% |
|
5 |
Korea Postal Service |
4.1% |
|
6 |
Logen |
3.4% |
|
7 |
Others |
1.5% |
Table 4. Ratio of parcel delivery services featured in logistics-related phishing messages in Q4 2023
Additionally, as analyzed in Table 5, it was revealed that KakaoTalk (77.0%), URLs (15.5%), phone calls (3.3%), and SMS (1.7%) have been used as means of phishing in that descending order. These statistics indicate that threat actors extensively used phishing messages that induce recipients to their KakaoTalk channels.
|
|
Inducement |
Ratio |
|
1 |
KakaoTalk |
77.0% |
|
2 |
URL |
15.5% |
|
3 |
Phone calls |
3.3% |
|
4 |
SMS |
1.7% |
|
5 |
Others |
2.5% |
Table 5. Ratio of inducement methods for phishing in Q4 2023
