UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

Card-Not-Present Fraud resulting from Smishing Attacks: An Experimental Study

Agarwal, Sharad; Vasek, Marie; (2025) Card-Not-Present Fraud resulting from Smishing Attacks: An Experimental Study. In: Proceedings of the New Security Paradigms Workshop (NSPW) 2025. Association for Computing Machinery (ACM): New York, NY, USA. (In press). Green open access

[thumbnail of Cards_PoC (1).pdf]
Preview
Text
Cards_PoC (1).pdf - Accepted Version

Download (1MB) | Preview

Abstract

Smishing or SMS phishing is a recent update to email-based phishing. This modern scam hinges upon the trust that users have in their bank or online service to steal users’ personal details. While recent work examines these texts and the URLs sent, no work has empirically determined what happens after scammers obtain this credit card information. Card-not-present (CNP) fraud—where stolen card details are used to make purchases online without physical access to the card—has become a growing concern. While some investigate this indirectly using forum posts, the unavailability of credit card transaction data makes it tricky to study empirically. As smishing continues to rise, so does CNP fraud, resulting in more losses borne by consumers. To this end, we perform a proof-of-concept experiment towards understanding how criminals abuse stolen credit card details brought in from smishing. We collaborate with a mobile network operator and a financial institution to access live smishing URLs and test credit cards. We provide test credit cards to twelve different smishing URLs and observe 36 authorization attempts across 17 different online merchants. We analyze the ISO transaction messages to uncover scammers’ transaction patterns and their cash-out mechanisms. Our insights into scammer behavior could help stakeholders develop effective mitigations to tackle CNP fraud towards eliminating the profitability of smishing.

Type: Proceedings paper
Title: Card-Not-Present Fraud resulting from Smishing Attacks: An Experimental Study
Event: New Security Paradigms Workshop (NSPW) 2025
Location: Aerzen, Germany
Dates: 24 Aug 2025 - 27 Aug 2025
Open access status: An open access version is available from UCL Discovery
Publisher version: https://www.nspw.org/2025
Language: English
Additional information: This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions.
Keywords: card-not-present fraud, smishing, cybercrime, online financial fraud
UCL classification: UCL
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
URI: https://discovery.ucl.ac.uk/id/eprint/10210719
Downloads since deposit
128Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item