Agarwal, Sharad; Vasek, Marie; (2025) Card-Not-Present Fraud resulting from Smishing Attacks: An Experimental Study. In: Proceedings of the New Security Paradigms Workshop (NSPW) 2025. Association for Computing Machinery (ACM): New York, NY, USA. (In press).

Preview

Text Cards_PoC (1).pdf - Accepted Version Download (1MB) | Preview

Abstract

Smishing or SMS phishing is a recent update to email-based phishing. This modern scam hinges upon the trust that users have in their bank or online service to steal users’ personal details. While recent work examines these texts and the URLs sent, no work has empirically determined what happens after scammers obtain this credit card information. Card-not-present (CNP) fraud—where stolen card details are used to make purchases online without physical access to the card—has become a growing concern. While some investigate this indirectly using forum posts, the unavailability of credit card transaction data makes it tricky to study empirically. As smishing continues to rise, so does CNP fraud, resulting in more losses borne by consumers. To this end, we perform a proof-of-concept experiment towards understanding how criminals abuse stolen credit card details brought in from smishing. We collaborate with a mobile network operator and a financial institution to access live smishing URLs and test credit cards. We provide test credit cards to twelve different smishing URLs and observe 36 authorization attempts across 17 different online merchants. We analyze the ISO transaction messages to uncover scammers’ transaction patterns and their cash-out mechanisms. Our insights into scammer behavior could help stakeholders develop effective mitigations to tackle CNP fraud towards eliminating the profitability of smishing.

Download activity - last month

Export as CSVXMLJSON

Download activity - last 12 months

Export as JSONCSVXML

Downloads by country - last 12 months

Export as JSONCSVXML

Archive Staff Only

View Item