Smishing, or SMS phishing, is the act of committing text message fraud to try to lure victims into revealing account information or installing malware. Similar to phishing, cybercriminals use smishing, the fraudulent attempt to steal credit card details or other sensitive information, by disguising as a trustworthy organization or reputable person in a text message.
With smishing, cybercriminals use a text message to try to get potential victims to give out personal information. The text message, which typically contains a link to a fake website that looks identical to the legitimate site, asks the recipient to enter personal information. Fake information is often used to make the texts appear to be from a legitimate organization or business.
Smishing has grown in popularity with cybercriminals now that smartphones are widely used, as it enables them to steal sensitive financial and personal information without having to break through the security defenses of a computer or network. Public awareness about phishing, smishing and other attacks continues to grow, as many incidents are reported on in the news.
How Smishing Works
Smishing uses social-engineering techniques to lure text message recipients into revealing personal or financial information. For example, during the holidays, you get a text message pretending to be from a well-known retailer telling you to go to verify your billing information or your package won’t be shipped in time to make it your gift recipient. The only problem is that the fake text message is providing you with a fake website link, where the information you provide will be used to commit identity theft, fraud and other crimes. Smishing is also used to distribute malware and spyware though links or attachments that can steal information and perform other malicious tasks. Messages typically contain some kind of urgency, threat or warning to try to get the recipient to take immediate action.
Other Common Cybercrimes
Education and awareness about potential attacks help improve cyber security. Here’s more information about some common types of cybercrimes.
Spear phishing attacks target individuals or small groups with access to sensitive information or the ability to transfer funds. Spear-phishing emails appear to come from someone the target knows, such as a co-worker or another business associate.
Whaling is a spear-phishing attack that specifically targets senior executives at a business.
With vishing, or voice phishing, cybercriminals pretend to be a legitimate business or organization and leave a telephone message to try to get potential victims to call back with their personal information.
Why Smishing is Important
Every business must educate employees about the dangers of smishing as part of its cyber security plan. With user security awareness training, employees are better able to recognize, avoid, and report potential threats that can compromise critical data and network systems. As part of the training, mock phishing, smishing and other attack simulations are typically used to test and reinforce good behavior.
- A text message requests personal information, such as your Social Security number or an online account password.
- The message asks you to click a link to resolve a problem, win a prize or access a service.
- The message claims to be from a government agency. Government bodies almost never initiate contact with someone by phone or text, according to the FCC.
- The text offers coronavirus-related testing, treatment or financial aid, or requests personal data for contact tracing.
Examples of Smishing Attacks
Since this type of scam employs social engineering techniques, criminals try to approach victims in different ways in order to convince them that is a legitimate message and that immediate action is needed. Most of them appeal to a sense of urgency.
Common types of smishing are:
- Bank messages notifying that there is a problem with the victim’s account or credit card
Certainly, money and account problems could be the most sensitive topics for most people. Therefore, common types of smishing are messages on behalf of the victim’s financial institution stating that a suspicious transaction has been identified, or their account or credit card is blocked. In order for the problem to be solved, or the account or credit card to be unlocked, the victim is instructed to click on a link to confirm their identity.
- Alerting some company of suspicious activity
To enhance user security, many companies now send a notification if the account is accessed from a different device or location. Smishing attacks also copy the technique and send alerts with suspicious links to the victim so they verify where the access came from. It is also common for SMS to be disguised as two-factor authentication, requiring the victim to click on the link for access to be granted.
- Invitations to Participate in a Survey
Even in the case of authentic surveys, few people actually like to give their time to participate. Therefore, in order to convince the victim to click on the link, messages often offer some prize. These invitations may include supposed surveys to evaluate a service or product from large stores.
- Messages notifying that the victim has been awarded
Another very common technique is a message informing the victim has been awarded by the lottery or other types of prizes and that they must click on a link to find out more information or claim their prize. Although in some cases, it is easier to identify that it is a scam, many criminals use real promotions that take place in large stores, such as the drawing of receipts, which makes it a higher chance that the victim clicks or responds.
one of the ways to prevent such scams is to be aware of how they work and to know how to identify potential fraudulent messages.
While attacks are becoming increasingly sophisticated, replicating real messages from trusted institutions, there are some details that could reveal a smishing attempt. Spelling and grammar errors are one of the indicators, as well as suspiciously formatted links (“net.flix.com” instead of “netflix.com”, for example).
In case of doubt if a text message can be trusted or not, it is worth searching the number and the message on the internet to see if other people were also the target of attacks. An even safer alternative is to contact the company through official channels to confirm that the communication was sent through them. It’s important to make sure it’s a reliable sender before replying to any SMS or clicking a link.
Another tip to be on the safe side is not to store personal and banking information, such as your credit card number, on your smartphone. Thus, even if the device is targeted by malware, the criminal will not have access to this data.
If you spot a smishing attempt, it’s important to report the sender so that the original company can take action and so that others aren’t victims of scams.
Institutions can fight account takeover performed by smishing attacks using recognition signals, such as location behavior, to identify a fraudulent mobile device trying to gain access to a mobile account.