China-based criminal groups are targeting customers of financial institutions in a bid to steal payment card data.
The groups, known as the Smishing Triad, have expanded their targets from organisations such as toll road operators and shipping firms to international banks, including CitiGroup, MasterCard, PayPal, Stripe and Visa.
Threat actors use a range of tactics to target mobile phone users via iMessage for iOS and RCS for Android devices, using spoofed domains and brand names for phishing scams.
Ford Merrill, a security researcher, said that at one point the group was able to capture 30 credit card records from 550 interactions in one week.
The data is then used to enrol the payment cards into mobile wallets.
One bank insider said that moving away from text confirmation codes would reduce fraud.