Billions of text messages travel daily, and threat actors actively use SMS phishing, i.e., Smishing, to target users—and their money. Mainly because globally, mobile and email messaging volumes continue to rise, with mobile messaging traffic, in particular, showing no signs of slowing down in 2021.
During the COVID-19 pandemic, 44% of US Americans said they had seen increased scam phone calls and text messages during the first two weeks of the nationwide quarantine period.
But how do such attacks work, and which are the telltale signs that help users avoid them?
What Is Smishing?
Smishing is a type of text-messaging or SMS-based phishing attack. In Smishing, the attack platform is a mobile phone. The criminal plans the attack to obtain personal information such as social security or credit card numbers.
The majority of the world’s 3.5 billion smartphones can receive text messages from any number on the planet. Many users are already aware of the risks associated with clicking a link in an email message.
However, the dangers of clicking links in text messages are less well known. Smishing is often profitable for attackers phishing for credentials, banking information, and private data because users trust text messages.
Types Of Smishing Attacks
Smishers can send messages to any number of digits that equals the length of a phone number. They are free to try any digit combinations they want. Users read 98 percent of text messages and respond to 45 percent, according to Gartner. This makes the text a logical attack vector for Smishers, especially since only 6% of emails receive responses. These tend to increase the severity of smishing attacks, which are on the rise!
Following are the common types of smishing attacks.
The Smishers could try several different things with a text message. This includes impersonating a bank representative and stealing your personal information. They might try to persuade you to connect to your bank’s website and verify a recent suspicious charge by sending you a text message with a link.
Finally, they may request that you call their customer service number conveniently included in the text message to discuss a recent suspicious charge or a compromised account. This format may take the shape of other services, like mobile plan free upgrades or prize giveaways.
An attacker may use the image of a relative on an instant messenger with a different phone number, claiming they had to change their number due to having their device stolen or another excuse. From there, they may ask for a loan or emergency money to solve a banking issue or to make a purchase.
This impersonation attack relies on social engineering and is a recurrent form of Smishing in countries where apps like WhatsApp are more common.
Instant Messaging Smishing
Smishing does not technically include phishing via instant messenger freeware such as Facebook Messenger or WhatsApp, but it is closely related. Instead, the Smisher takes advantage of users’ growing comfort with receiving and responding to messages from strangers via social media platforms, like responding to offers.
The goal of the attack, like an authentic phishing scheme, is for you to provide personal information to the threat actor, such as passwords or credit card numbers. These attackers are ready to offer great value in exchange for your sensitive information. Such offers frequently include a clickable link.
How Does Smishing Work?
The majority of smishing attacks are similar to email phishing. The attacker sends the user a message that entices them to click a link or request a response containing the targeted user’s personal information. An attacker may seek any information, including:
- Links to shady and fraudulent websites
- Premium customer service can be reached by phone.
- Transferring funds to the Smisher’s account
- Financial information that can be sold on darknet markets or used in online fraud
- Responding to SMS messages that contain specific pieces of information, such as
- Username and password for an online account
- Personal data that could be used to commit identity theft
Smishers use a variety of techniques to persuade users to send personal information. For example, they may use public online tools to obtain basic information about the target (such as name and address) to deceive the target into believing the message is coming from a reliable source.
The message is more compelling as a result of these details. The smisher may address you directly using your name and location. The text then displays a link to a server controlled by the attacker. These links could take you to a phishing website that steals your credentials or inject malware that infects your phone. The malware can then snoop on the user’s smartphone data or invisibly send sensitive information to an attacker-controlled server.
Smishing works in conjunction with social engineering. Before sending a text message, the attacker may call the user and ask for personal information. The smisher can then use the private information in a text message attack. Several telecoms have tried to combat social engineering calls when a known scam number calls by displaying “Spam Risk” on a smartphone.
Basic Android and iOS security features frequently stop malware. However, even if mobile operating systems have robust security controls, no security controls can prevent users from willingly sending their data to an unknown number.
Examples Of Smishing
The number of fraudulent messages is on the rise. The content is becoming increasingly sophisticated over time. In the United Kingdom alone, more than 96,000 smishing attacks happened. People who choose to record their experiences are the only ones who have these records. There have been numerous incidents that have gone unnoticed or documented.
Smishing attacks have a lot of concerning examples. So, let’s look at some of the biggest global smishing scams:
- In 2018, a smishing attack occurred at one of the largest banks in the United States. Several customers entered their credentials on a bogus website during the attack. The spoof website gathered information used to access the financial data of a large number of customers. As a result, over USD 68,000 was taken from the hacked accounts.
- Another instance of smishing would be the withdrawal of GBP 23,000 from the account of a British man. As soon as the attack exposed his OTP (one-time password), the attackers withdrew the amount. A Smisher who was keeping track of the victim’s communications with Santander Bank crafted the spoof message. The victim had exchanged numerous messages with the legitimate bank using a similar thread.
- The Czech Republic was the scene of one of the world’s most significant smishing attacks. The public was duped into downloading a fake application as part of the attack. The application stated that it came from the national postal authorities. However, a bogus application infected the victims’ computers with a Trojan virus, designed to steal financial information from the devices, such as credit card numbers.
Here's What to Look Out For
Bank notifications, package updates, act-now coupons, and urgent warnings are all warning signs of Smishing. If you get one of these from an unknown number, be wary, especially if it’s a financial text. Smishing messages frequently combine deceptive branding with a sense of urgency and a user’s request to click on a malicious link. Here are a few warning signs:
- It includes a number or a link
- It requires an urgent response
- The subject line is random letters
- It is formatted incorrectly
- It is grammatically poor
Here are four examples of what these texts look like in 2021, based on recent delivery, social, and financial smishing attempts. We didn’t do any fancy research to get these photos; we simply looked through our phones and asked our colleagues to do the same. Here’s what we came up with:
How To Protect from Smishing Attacks
Protection from Smishing, like email phishing, is contingent on the targeted user’s ability to recognize a smishing attack and either ignore or report the message. If a phone number is frequently used in scams, the telecom may alert users who receive messages from that number to ignore or expose the content.
Smishing messages are only dangerous if the target user responds by clicking a link or sending private information to the attacker. Here are some tips for spotting Smishing and avoiding becoming a victim:
- Make sure you register with the Do Not Call Registry in your country. Even if you *believe* you signed up for this, you may need to re-register your mobile phone number. While the Do Not Call list isn’t foolproof, it should significantly reduce unwanted phone calls and texts.
- If your messaging client has a spam reporting feature, use it, or forward spam text messages to the local regulatory agency. You can also file a complaint with that agency. After you’ve reported spam, make sure to block the phone number.
- Only click links sent to you via text message if you expect them or have double-checked the sender’s identity. Remember that messages received from a phone number with only a few digits were most likely sent from an email address, indicating spam.
- Go directly to the websites of reputable vendors (separately from text messages). Therefore, don’t click the link if you get a text message asking you to check an order status or change your password type. Instead, go directly to the organization’s website and proceed from there.
- Finally, do not respond to strange texts for any reason. This action only confirms that you’re a “real person,” putting you at risk of further harassment in the future.
Smishing is a type of phishing attack. These sniffing attacks target victims by sending emails and text messages to them, expecting that they will respond with valuable information. Questions like how a Smisher works and what security tool is best for your needs will only find an answer once you and your employees understand what phishing is and how it works.
Right-Hand Cybersecurity provides a customized cybersecurity learning experience for your workforce. For example, Phishing Readiness drives behavioral change and better security awareness habits. Schedule a demo today and prepare your employees to identify various attacker techniques by creating and launching custom phishing simulations.