I know sms fishing attacks (known as smishing) are nothing new, but based on a recent smishing attack I received, it looks like combining phishing attacks with phone numbers has made it possible for attackers to increase the attack effectiveness. Previously, phishers went by the same methods that spammers popularized ages ago – send your message to as many people as possible, and try to make it applicable to as many people as possible. Given the low conversion rates (Gartner estimates 3.3%), you need it to be seen by many people in order to have a few successful scams. That’s why phishing attacks always seemed to attack places like Paypal and bank of America – they had more customers, and therefore more people getting the fake email were likely to be fooled.

With that in mind, I was surprised when I got the following text message a few weeks ago:

This is an automated message from Lafayette Credit Union. Your ATM card has been suspended. To reactivate, call urgent at 888-xxx-xxxx.

I had never even heard of Lafayette Federal Credit Union before, and found it odd that a scammer was targeting such a small financial institution. A few days later I got another similar message purporting to be from FedChoice federal credit Union – another small financial institution. What I soon realized though is that both of these credit unions are local to the Washington DC area, and my cell phone has a 202 (Washington DC), area code. The scammers have decided to improve their business model. They’re targeting credit unions around the country and only sending people attacks that purport to be from local credit unions. In this way they hope to increase their conversion rate by only sending people relevant attacks.