What is Smishing? A guide to SMS phishing attacks
Don't let the funny name confuse you. Smishing is a major scam that could have big financial implications.
What is smishing?
Most people are familiar with phishing scams, where scammers try to trick you into giving them your personal or financial information by pretending to be a legitimate company or organisation. But have you ever heard of smishing or vishing?
Smishing – a combination of the words “SMS” and “phishing” – is a scam where fraudsters use mobile phone text messages to trick you into opening a malicious attachment or link.
Typically, the text messages claim to come from a reputable organisation such as your bank, card issuer, a service provider such as your mobile phone company, or even a government department such as Revenue.
They are often difficult to spot and may even appear within a genuine “thread” of text messages you may have received from a legitimate organisation. It may even include urgent language or threats in an effort to get victims to act quickly. In some cases, the message may also include a link that directs victims to a fake website where they are prompted to enter personal information or download malware.
How does smishing work?
Smishing attacks can range in sophistication, making some of them harder to spot than others. These attacks can be delivered through both conventional text messaging and non-SMS messaging apps, such as WhatsApp, Viber or Snapchat.
Typically, smishing attacks work in the following way:
The attacker sends a victim a smishing text message that seems to come from a legitimate source, such as a government agency, bank or well-known business.
The message delivers a sense of urgency and compels the victim to take immediate action, such as clicking on a link or calling a phone number.
Once the victim opens and clicks on the link or dials the phone number listed in the message, they're taken to a fraudulent website or a mobile phone line that's designed to resemble a legitimate source.
The victim might be asked to enter sensitive information, such as login credentials, social security numbers, credit card information or personal identification numbers (PINs). Once the victim's sensitive information is divulged, the attacker might steal it to commit fraud for personal gain or to compromise the victim's device by installing malware on it.
In some instances, the victim is directed to call a phone number where they're prompted to provide personal details or banking information or respond to automated prompts.
Types of smishing attacks
The following are some common types of smishing attacks:
Urgent message scams. These smishing attacks might warn a victim that their account is in jeopardy or delivery will be canceled to get them to respond hastily without thinking.
Fake survey scams. These messages encourage people to complete a survey in exchange for a prize, but they're intended to steal personal information.
Tax season scam. Some smishing attacks try to convince people they owe money after filing their taxes and take them to a fraudulent website where they can pay the required amount. Another popular strategy is to convince a victim they're entitled to a substantial refund and ask them to click on a link to recover their money. Once the link is clicked, spyware is typically installed on a victim's cell phone.
Fake message scams. These smishing messages might appear to be from a reputable source, such as a bank or social networking site, but they're false messages designed to dupe victims into disclosing vital information.
Gift card scams. These messages claim a victim has won a gift card or prize and encourage them to click a link to claim it. In reality, it's a ploy to trick people into sharing sensitive information.
Malware-embedded communications. These messages contain a link to a phony or malware-laden website, which if clicked, can install malicious software on the victim's device.
Fake delivery scams. Shipping companies such as FedEx and UPS urge customers to be on the lookout for scams involving messages about the attempted delivery of a package. These messages frequently start by saying a delivery attempt was made but the recipient wasn't home. The text might redirect the recipient to a website to reschedule their delivery. Once the victim logs in, the seemingly legitimate website might ask for more personal information, including credit card numbers, birthdates or even Social Security numbers.
Examples of a smishing text message
Here are some examples of smishing text messages hackers use to steal your personal details:
“We have detected unusual activity on your account. Please call this number to speak to a customer service representative.”
“You have won a free gift card! Click here to claim your prize.”
“Hi! We noticed that you’re a recent customer of ours. To finish setting up your account, please click this link and enter your personal information.”
“Urgent! Your bank account has been compromised. Please click this link to reset your password and prevent any further fraud.”
“Hey, it’s [person you know]! I’m in a bit of a bind and could really use your help. I sent you a link to my PayPal, could you send me some money?”
How to defend against smishing attacks
Smishing and other mobile threats are on the rise as more people use mobile devices for online activities. Therefore, it's important to exercise caution and verify the authenticity of any unusual messages.
The following measures can mitigate smishing and other types of cyber attacks:
Never click on links, respond to text messages or call numbers that aren't recognizable.
Avoid answering a message, especially if it instructs you to "text STOP" to end the message.
Delete any questionable text messages.
Ensure the smart device's operating system and security apps are up to date.
Consider installing antimalware software on the device for added security.
If a message displays a sense of urgency, slow down and proceed cautiously. Urgent account upgrades and limited-time offers are indicators of imminent smishing.
When in doubt regarding a notification, a user should contact their bank immediately, since legitimate institutions don't send text messages requesting account changes or login information.
Examine any unusual phone numbers, such as four-digit ones, as they may indicate the use of email-to-text services. This is one method a scammer might use to conceal their real phone number.
Change passwords regularly. This applies to both device passwords, as well as passwords used to log into bank accounts and other personal services.
Use multifactor authentication (MFA). If the account being compromised requires a second key for verification, a revealed password might still be useless for a smishing attacker.
Set up spam filters on mobile devices to block spam calls and text messages from being received on the devices.
Be aware that cybercrime and hacking can happen to anyone. Criminals are always looking for new ways to exploit people, and they know that others may not be cautious or recognise the warning signs of phishing scams when using the internet. That’s why it’s important to be aware of the different types of cybercrime and how to protect yourself.
Do you want to eliminate cyber security breaches? Get in touch with the team today to find out more about our managed IT services.