Smishing–meaning SMS phishing–is a phishing attack conducted via text messages to scam victims. These scams target individuals or businesses to steal money, sensitive data, or a combination.
Smishing attempts have seen a rise in popularity. You’ve probably received a few smishing texts on your phone, and you’re not alone.
Smishing works because there aren’t effective filters for SMS messages compared to email servers. Criminals can easily create and impersonate phone numbers using VoIP to text any number. And mobile carriers don’t have robust spam filters, allowing malicious text messages to get delivered.
Learn how smishing works, examples of smishing, and what you can do to stop them.
How Smishing Attacks Work
Smishing is a type of phishing attack which begins with an attacker sending a text message to an individual. The message contains social engineering tactics to convince the person to click on a malicious link or send sensitive information to the attacker. Criminals use smishing attacks for purposes like:
- Learn login credentials to accounts via credential phishing
- Discover private data like social security numbers
- Send money to the attacker
- Install malware on a phone
- Establish trust before using other forms of contact like phone calls or emails
Attackers may pose as trusted sources like a government organization, a person you know, or your bank. And messages often come with manufactured urgency and time-sensitive threats. This can make it more difficult for a victim to notice a scam.
Phone numbers are easy to spoof with VoIP texting, where users can create a virtual number to send and receive texts. If a certain phone number is flagged for spam, criminals can simply recycle it and use a new one.
Examples of Smishing
There are a few ways attackers use smishing to manipulate individuals, including these common tactics.
- Account closure: Attackers send a message to a person claiming their account has been disabled, and they need to do a password reset. The messages will walk through the person on resetting their password, and the attacker will steal their online credentials during the process. These attacks often impersonate banks, well-known brands, and government agencies.
- CEO fraud: Attackers impersonate a boss or manager and then send messages to employees asking for help to fulfill a request. The impersonator may ask an employee to buy gift cards for a company party, pay an invoice, or send sensitive data. Since the messages come from an authority figure, victims may ignore red flags and fulfill the request.
- Unpaid taxes or fees: Victims receive a message that they owe taxes or unpaid fines, including a link or phone number. However, it’s a malicious link designed to steal money.
- Free offers: These smishing attacks tell victims they’ve qualified for a free gift, like a cruise, gift card, or consumer good. They just need to send over some data, enter their login information, or pay a small fee.
Common Signs of Smishing
Text messages are a common way for many people and organizations to reach out to us. For many, it’s not an automatic red flag to receive SMS messages from their bank, places they shop, or acquaintances. People should learn the difference between a legitimate message and a fraudulent message. Here are a few signs to look out for when it comes to smishing attacks:
- Poor spelling and grammar: Organizations care about spelling and grammar and are unlikely to send a message with errors in it. If you notice the text is wrong, don’t engage with it.
- Suspicious links: Unfortunately, it’s common for even authentic messages to contain shortened URL links. This makes it difficult to identify the source before clicking on it. You’ll want to verify the message source to avoid malicious links.
- Sense of urgency: A common social engineering tactic is to make a time-sensitive request on short notice. This prevents the recipient from having time to think about their actions. If a message requires urgent action, it may be fraudulent.
Requests for sensitive information: While government entities, banks, and other organizations may reach out to you via text, they won’t ask for passwords or other sensitive information over text messages. If you get this type of request, ignore or report it.
Difference Between Smishing and Vishing
While smishing and vishing attackers both rely on a phone to conduct their scams, they do so in completely different ways. Smishing focuses on SMS messages while vishing happens over a phone call.
Vishing–derived from “voice phishing”–is a social engineering attack where a criminal impersonates a trusted source to manipulate the victim into sharing sensitive information like credit card numbers or online bank account passwords.
Both scams use similar false pretenses, but the delivery method is different.
Difference Between Phishing and Smishing
Smishing is a type of phishing attack. While smishing is done over text, phishing attacks can utilize phone calls, emails, or direct messages in social media apps.
Smishing and phishing share many similarities. They both rely on social engineering tactics to trick people into handing over private information, downloading malware, or sending money. They also are designed to look and feel like legitimate messages from trusted sources.
Preventing Smishing Threats
Unfortunately, it’s hard to prevent smishing texts from ending up on your phone. The open nature of SMS messaging means anyone can text any phone number. While it’s illegal to send scam text messages, criminals aren’t afraid of breaking the law.
Taking the time to think about the authenticity of a text message will go a long way in preventing a successful smishing attack. Here are a few ways to detect and prevent smishing threats.
- Verify an identity: If you get a text from your boss or your bank, for example, make sure it’s actually authentic before replying. Companies often use five or six-digit numbers when sending text messages which makes it more difficult to validate their authenticity. If you have concerns, contact the person or organization directly to discuss their message.
- Train employees: Security awareness training helps ensure employees know how to spot and report suspicious texts. While email phishing is a significant problem, employees also need to learn about scams via text or phone calls.
- Ignore it: Smishing text messages are often harmless if you don’t click on any links or respond to them. You could also opt to block the phone number to stop receiving smishing attempts, although scammers usually cycle through random numbers.
- Enable spam protection: Some phones have spam filter capabilities. It can divert messages from unknown senders or alert you if it believes a message is spam. Scammers thwart these filters by creating new phone numbers.
How to Prevent Smishing Attacks
Given the volume of texts that mobile users receive per day, hackers exploit their target’s dropped defenses to steal information. These attacks can take many forms, often disguised as urgent alerts that require an immediate response. Examples include personal information such as passwords, security updates, locked credit and debit cards, and compromised bank account information. All of these have appeared in past SMS phishing attacks, their success hinging upon knee-jerk reactions. And in many cases, when users click a link on malicious SMS attachments, they are redirected to images, rather than websites. Unlike websites, which have a certain degree of built-in defense, images are more difficult for monitoring systems to parse, leaving users vulnerable. Before clicking any SMS-based link, do the following:
I actually wanted to post a quick note to be able to say thanks to you for the stunning strategies you are giving out at this website. My long internet research has at the end been honored with extremely good points to talk about with my family. I would claim that we readers are undoubtedly blessed to live in a great place with very many brilliant professionals with useful plans. I feel quite blessed to have used the site and look forward to tons of more fabulous minutes reading here. Thank you once more for all the details.