🚨 Smishing

Today Korean Social News for Beginners | 2025.12.01

0️⃣ Coupang's 33.7 Million User Data Leak, Text Message Scam Alert

📌 Concerns About Smishing Damage Spread After Large-Scale Personal Information Leak

💬 Anxiety is growing nationwide as personal information of about 33.7 million Coupang users was leaked. According to government investigation, attackers appear to have obtained large amounts of customer account information by exploiting server authentication vulnerabilities. The leaked information includes names, emails, addresses, phone numbers, and some order information, raising concerns about secondary damage such as smishing (text message fraud) and voice phishing. If the leaked information is traded on the dark web, criminal organizations can purchase it and launch customized scam attacks, requiring special caution. Many consumers are expressing dissatisfaction with Coupang's late notification and insufficient response, with class action lawsuit movements also appearing. In this situation, corporate responsibility for protecting personal information and individual efforts to prevent smishing have become more important than ever.

💡 Summary

• Concerns about secondary damage like smishing are growing due to Coupang's leak of 33.7 million users' personal information.
• Smishing is a fraud method that steals personal or financial information by sending malicious links through text messages.
• Never click links in suspicious texts, and verify through official apps or customer service centers.

1️⃣ Definition

Smishing means a phishing attack using text messages (SMS), which is a fraud method that steals personal or financial information by including malicious links or phone numbers in texts disguised as delivery notifications, government announcements, wedding invitations, etc. It's a combination of 'SMS' and 'Phishing', and victims can easily be fooled because it exploits the familiar medium of mobile text messages.

The danger of smishing goes beyond just leaking personal information. If you click a link in a text message, malicious code can be installed and hack your phone. Through this, information from financial apps can be stolen, small payments can be made without permission, and even your phone can be remotely controlled. Especially after large-scale personal information leaks, attackers can use victims' real information (name, address, order history, etc.) to disguise themselves more precisely, greatly increasing the possibility of damage.

💡 Why is this important?

• As mobile financial transactions become daily life, smishing damage is rapidly increasing.
• Customized smishing attacks concentrate after large-scale personal information leaks, potentially increasing damage scale.
• One careless click can cause financial asset damage and credit problems.
• Individual awareness and prevention efforts are the most reliable way to prevent damage.

2️⃣ Coupang Information Leak Incident and Smishing Risk

📕 Overview of Large-Scale Personal Information Leak Incident

• Personal information of about 33.7 million Coupang users was leaked. Main details are as follows:

  • Attackers accessed the customer account database by exploiting server authentication vulnerabilities.
  • Names, emails, phone numbers, delivery addresses, and some order information were leaked.
  • Although credit card information and passwords were encrypted, preventing direct leaks, the situation cannot be taken lightly.
  • Coupang notified customers about ten days after recognizing the incident, drawing criticism.

• The fact that they kept information of withdrawn members is controversial. Main problems are as follows:

  • Some consumers reported receiving leak notification texts even though they had already withdrawn from Coupang.
  • The Personal Information Protection Act requires immediate destruction of unnecessary information after service termination.
  • Concerns are growing about responsibility as companies may not have properly fulfilled legal obligations.
  • Consumers argue they have the right to know when and where their information is stored.

📕 Concerns About Secondary Smishing Damage

• Customized smishing attacks using leaked information are expected. Main risks are as follows:

  • Attackers know victims' real names, addresses, and recent order information, enabling more sophisticated fraud.
  • Texts like "There's a problem with your ordered product delivery" are easy to believe when they match actual orders.
  • Common entrance passwords and delivery information could be exploited, threatening actual life safety.
  • If information is traded on the dark web, crimes spread in various forms including voice phishing and messenger phishing.

• There's controversy over whether the government and Coupang's response is sufficient. Main issues are as follows:

  • Coupang announced it would provide additional security measures and free credit check services, but consumers feel it's insufficient.
  • The government launched a joint investigation by the Personal Information Protection Commission and National Police Agency, but questions remain about punishment severity.
  • Class action lawsuit movements are demanding damage compensation and measures to prevent recurrence.
  • Voices calling for strengthening corporate responsibility for personal information management are growing louder as large-scale leaks repeat.

💡 Main Smishing Risk Points

1. Using real names and addresses: Sending high-credibility scam texts by identifying victims with leaked personal information
2. Exploiting order information: Inducing link clicks by mentioning recent purchase history and disguising delivery problems
3. Dark web distribution: Personal information is illegally traded, becoming targets for various criminal organizations
4. Common entrance intrusion: Threatening actual residential safety through leaked delivery addresses and common entrance passwords
5. Financial information theft: Hacking financial apps after malicious code installation, causing account transfer and small payment damage

3️⃣ Smishing Prevention and Response Methods

✅ Prevention Rules Individuals Can Follow

• Never click suspicious texts. Main methods are as follows:

  • You should first suspect all links in texts about package delivery, wedding invitations, government announcements, etc.
  • Even if it looks like it's from Coupang or other shopping malls, open the official app directly to verify.
  • Search the phone number or link online to check reported smishing cases.
  • Most texts that rush you to act quickly are scams.

• Strengthen security settings. Main measures are as follows:

  • Enable the "block installation from unknown sources" feature on your smartphone.
  • Set separate passwords or biometric authentication for financial apps.
  • Install antivirus apps and regularly scan for malicious code.
  • Update operating systems and apps to the latest versions to eliminate security vulnerabilities.

• Respond immediately if damage occurs. Main procedures are as follows:

  • If you clicked a suspicious link, switch your phone to airplane mode or turn it off.
  • Immediately change your financial app passwords and contact bank customer service to freeze accounts.
  • Report to the National Police Agency Cyber Safety Bureau (dial 182) or Financial Supervisory Service (1332).
  • Reset your phone and remove malicious code with antivirus programs.

✅ Corporate and Government Responsibilities

• Companies must thoroughly fulfill their duty to protect personal information. Main tasks are as follows:

  • They must strengthen server security and regularly check vulnerabilities.
  • When personal information leaks occur, they must quickly inform customers and guide response methods.
  • They must immediately destroy unnecessary personal information and encrypt stored information.
  • They must acknowledge responsibility for leak incidents and provide sufficient damage compensation.

• The government must strengthen legal regulations and punishments. Main directions are as follows:

  • They must strengthen the Personal Information Protection Act to significantly increase penalties for large-scale leak incidents.
  • They must actively arrest and severely punish smishing criminals.
  • They must build systems where financial institutions and telecommunication companies cooperate to automatically block suspicious texts.
  • They must expand smishing prevention education and promotion for the public.

4️⃣ Related Term Explanations

🔎 Smishing

• Smishing is a phishing attack through text messages.
  • Smishing is a combination of SMS (text message) and Phishing (personal information fishing), a fraud method that sends malicious links or phone numbers through mobile text messages to steal personal or financial information. Initially it was at the level of simple small payment inducement, but recently the methods have become sophisticated, including malicious app installation for remote control and financial app hacking.
  • Representative types of smishing include: First, texts disguised as package delivery notifications. "Your package has arrived. Please check" with a link. Second, disguised as wedding or first birthday invitations. "I'm getting married. Please check the mobile invitation" texts. Third, impersonating government agencies. "This is the National Tax Service. You have a refund" texts. Fourth, impersonating acquaintances. "Mom, my phone broke so contact this number" requesting money.
  • If you fall victim to smishing, malicious code is installed and all information on your phone is stolen, financial apps are hacked and money is withdrawn from accounts, small payments are made without permission, and personal information can be exploited for crimes. Especially after large-scale personal information leaks, attackers know victims' real information, enabling more sophisticated fraud and causing damage to surge.

🔎 Personal Information Protection Act

• The Personal Information Protection Act is a law regulating the obligations of personal information processors.
  • The Personal Information Protection Act is a law that protects individual rights and regulates the responsibilities of information processors throughout the entire process of collecting, using, providing, and destroying personal information. Companies or public institutions must obtain consent when collecting personal information and must destroy it without delay once the collection purpose is achieved.
  • Main contents of the law include: First, personal information processors must take technical and administrative protective measures to prevent personal information leaks. Second, if a personal information leak incident occurs, they must immediately notify the information subjects and report to the Personal Information Protection Commission. Third, they must immediately destroy personal information after service termination as there's no reason to retain it. Fourth, violators can receive fines of up to 500 million won and criminal punishment.
  • Regarding the Coupang incident, points raised as potential law violations include: keeping information of withdrawn members, negligent vulnerability management, and insufficient prompt notification. The Personal Information Protection Commission is investigating Coupang, and if law violations are confirmed, they can impose fines along with improvement orders.

🔎 Information and Communications Network Act

• The Information and Communications Network Act is a law regulating healthy use of information and communication services.
  • The Act on Promotion of Information and Communications Network Utilization and Information Protection (Information and Communications Network Act) regulates the obligations of information and communication service providers and user protection. It is directly related to smishing as it specifically addresses personal information protection, prohibition of illegal information distribution, and prohibition of malicious program distribution.
  • Main regulatory contents of the law include: First, it prohibits distributing malicious programs or damaging, destroying, or altering others' information. Malicious apps used in smishing fall under this. Second, it prohibits fraud or deception through information and communication networks. Third, it prohibits illegally collecting or using others' personal information. Fourth, violators can be sentenced to imprisonment of up to 7 years or fines of up to 70 million won.
  • Smishing criminals are punished according to this law, and service providers like Coupang can also be held legally responsible if they neglected security obligations. Based on the Information and Communications Network Act, the government blocks sites distributing malicious apps and tracks and punishes smishing text senders.

🔎 Dark Web

• The dark web is an anonymous internet space that cannot be accessed through regular searches.
  • The Dark Web is an internet area accessible only through special browsers (e.g., Tor), where users' identities and locations are thoroughly anonymized. Originally created for privacy protection and censorship circumvention, it has become a hotbed for illegal transactions exploiting anonymity.
  • Various illegal activities occur on the dark web. First, leaked personal information is traded. Names, phone numbers, emails, and addresses are sold individually or in bundles. Second, credit card information and account information are traded. Third, hacking tools and malicious code are sold. Fourth, illegal items like drugs and weapons are traded.
  • If Coupang leak information goes on the dark web, smishing organizations, voice phishing organizations, and other criminal groups can purchase it and launch customized attacks. For example, using real information like "Customer Hong Gil-dong, there's a problem with the product scheduled for delivery to XX Apartment in Gangnam-gu, Seoul" greatly increases the likelihood of victims being fooled. Police and intelligence agencies monitor the dark web, but tracking is very difficult due to anonymity.

5️⃣ Frequently Asked Questions (FAQ)

Q: What should I do if I receive a smishing text?

A: Never click the link, block the sender number, and then delete it.

• If you receive a smishing text, the most important thing is not to click the link out of curiosity or anxiety. First, no matter how plausible the text content seems, never click the link. Second, add the sender number to your spam block list. Third, delete the text. Fourth, warn people around you to be careful too.
• If it's a text about packages or shopping malls, open the official shopping mall app directly to check your order history. If it's about government agencies, contact the agency's website or main phone number directly to verify the facts. You can report suspicious texts to the National Police Agency Cyber Safety Bureau (182) or Korea Internet & Security Agency (118). You can also use telecommunication companies' spam reporting service (#8899) to block the number.

Q: What should I do if I accidentally clicked a smishing link?

A: Immediately switch your phone to airplane mode, change your financial app passwords, and contact your bank.

• If you clicked a link, quick response is important. First, immediately switch your phone to airplane mode or turn it off to cut off external communication. This can prevent malicious code from transmitting information. Second, turn off both Wi-Fi and mobile data. Third, use another device (computer, etc.) to change all passwords for bank apps and major services. Fourth, immediately contact financial institution customer service to request account suspension or monitoring.
• Follow-up measures include: First, factory resetting your phone is the most reliable. However, back up important data first. Second, install antivirus apps to scan and remove malicious code. Third, visit telecommunication company or phone manufacturer service centers for expert help. Fourth, check if any strange small payments or account transfers occurred, and if there's damage, report to police. You can call the Financial Supervisory Service (1332) to get guidance on damage relief procedures.

Q: How should Coupang information leak victims respond?

A: Change your password immediately, be especially careful of suspicious texts or calls, and if necessary, you can participate in class action lawsuits.

• If you're a Coupang information leak victim, respond as follows. First, immediately change your Coupang account password. If you used the same password on other sites, change them all. Second, check credit cards or accounts linked to Coupang and inspect for strange transactions. Third, use the free credit check service Coupang provides to verify your credit information hasn't been stolen. Fourth, for the next few months, be especially careful of smishing texts or calls impersonating Coupang.
• Additional response methods include: First, you can contact Coupang customer service to request additional security measures. Second, you can report the damage to the Personal Information Protection Commission or Korea Consumer Agency and receive consultation. Third, if a class action lawsuit is in progress, you can consider participating. Through lawsuits, you can claim damages for mental distress, costs to prevent personal information theft, etc. Fourth, it's also important to raise voices demanding system improvements to strengthen corporate responsibility to prevent similar incidents from recurring.

Table of Contents

• Go to Guide