The police has arrested an individual last week for sending fraudulent text messages to thousands of people to obtain banking details and defraud them.
It is estimated that the man sent more than 25,000 short text messages in one day, from SIM cards on multiple mobile devices.
Mobile phone contacts galore
The arrest took place on June 17 at a hotel in Manchester, UK, where the 21-years old fraudster had taken a room and used it as the headquarters of the phishing operation.
The fraudster is likely part of a larger gang and is probably just a foot soldier doing the risky part of the business for the more important players that run the larger operation.
Police officers found electronic equipment that could be used for SMS phishing, also known as smishing. The text messages claimed to be from the Hermes parcel delivery company.
According to the police, the operation was quite large and could deliver tens of thousands of fraudulent messages every day. It is estimated that close to 26,000 texts were sent on the day of the arrest.
At least some of the messages were sent through EE, one of the largest mobile network operators and internet service providers in the United Kingdom, with over 27 million subscribers.
The messages informed potential victims of a missed delivery and asked for banking information. The number of individuals falling victim to the scam remains undisclosed.
After examining the seized devices, the police say that they stored a total of 44,000 mobile phone contacts.
Despite the size of the phishing operation, the man got caught when the hotel staff deemed him suspicious for carrying a large number of cables in a bag and alerted the police in Manchester.
People in the UK receiving suspicious text messages allegedly from Hermes should report the phishing attempt, contact the police online, or call 101.
As a side note, the fraudster’s opsec skills are not the only ones needing an improvement. Phishing kit expert JCyberSec noticed that the Manchester police did not remove the metadata in the image published with the press release. Althlugh it is not the case now, metadata can include potentially sensitive information.