Agarwal, Sharad;
Vasek, Marie;
(2025)
Card-Not-Present Fraud resulting from Smishing Attacks: An Experimental Study.
In:
Proceedings of the New Security Paradigms Workshop (NSPW) 2025.
Association for Computing Machinery (ACM): New York, NY, USA.
(In press).
Preview |
Text
Cards_PoC (1).pdf - Accepted Version Download (1MB) | Preview |
Abstract
Smishing or SMS phishing is a recent update to email-based phishing. This modern scam hinges upon the trust that users have in their bank or online service to steal users’ personal details. While recent work examines these texts and the URLs sent, no work has empirically determined what happens after scammers obtain this credit card information. Card-not-present (CNP) fraud—where stolen card details are used to make purchases online without physical access to the card—has become a growing concern. While some investigate this indirectly using forum posts, the unavailability of credit card transaction data makes it tricky to study empirically. As smishing continues to rise, so does CNP fraud, resulting in more losses borne by consumers. To this end, we perform a proof-of-concept experiment towards understanding how criminals abuse stolen credit card details brought in from smishing. We collaborate with a mobile network operator and a financial institution to access live smishing URLs and test credit cards. We provide test credit cards to twelve different smishing URLs and observe 36 authorization attempts across 17 different online merchants. We analyze the ISO transaction messages to uncover scammers’ transaction patterns and their cash-out mechanisms. Our insights into scammer behavior could help stakeholders develop effective mitigations to tackle CNP fraud towards eliminating the profitability of smishing.
Type: | Proceedings paper |
---|---|
Title: | Card-Not-Present Fraud resulting from Smishing Attacks: An Experimental Study |
Event: | New Security Paradigms Workshop (NSPW) 2025 |
Location: | Aerzen, Germany |
Dates: | 24 Aug 2025 - 27 Aug 2025 |
Open access status: | An open access version is available from UCL Discovery |
Publisher version: | https://www.nspw.org/2025 |
Language: | English |
Additional information: | This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions. |
Keywords: | card-not-present fraud, smishing, cybercrime, online financial fraud |
UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
URI: | https://discovery.ucl.ac.uk/id/eprint/10210719 |
Archive Staff Only
![]() |
View Item |