In SMS phishing (also known as smishing), a cyber attacker uses a text message to deceive or manipulate their target into sharing confidential information or granting access. Smishing can be a doorway to malware infection, data theft, sabotage and a raft of other unwelcome consequences. The Federal Trade Commission found that 22 percent of all fraud reports were the result of smishing.

22 percent of all fraud reports were initiated by text

SMS phishing is a more potent threat than email phishing. First, the number of daily active mobile phone users exceeds the number of daily active Internet users. Second, people tend to read and respond/react to SMS quicker than they do an email. Third, SMS phishing can take advantage of the ‘mini computer’ nature of the smartphone. Many people’s ‘entire lives’ live on their phones — from bank apps to family photos.  

What traits of SMS phishing should you be on the lookout for?

1. Sounds Realistic, Relatable and Legitimate

There is no training that phishing attackers attend. Thus, the sophistication of smishing messages varies enormously. The more amateurish texts are easy to recognize as a scam. On the other hand, the more well thought out messages sound realistic, relatable and legitimate. These may be highly targeted to conform with the realities of the recipient including their name, title, and work/home address. 

For this reason, err on the side of caution. Whenever you receive a message that purports to originate from your employer, bank, utility, hotel, members club, or government, urging you to click a link or provide sensitive information, don’t. Contact the organization directly and confirm that the text is authentic.

2. Contains Links

Given the character limit on text messages, smishing attacks will often involve a brief message followed by a prompt to click a link. This is unlike email phishing where there may be a sizable multi-paragraph message. SMS phishing links will mostly rely on URL shorteners to make the most of the character limit. At the same time, the URL shorteners help disguise fake links.

URL shorteners maximize the character limit and help disguise fake links

The link will send you to a website where you are asked to enter confidential information such as credit card numbers, login credentials, customer details, employee data, organization documents and more. At other times, the link will trigger the download of malware on your phone. The end goal is unauthorized access, identity fraud, data theft or some other form of criminal action.

3. Conveys Urgency and/or Fear

Smishing messages come with a compelling offer or a worrisome scenario, either of which is meant to drive you into urgently doing what the criminal wants. It is after all a form of social engineering with the attacker manipulating your emotions to get you to respond quickly. 

For example, a text allegedly sent by your bank due to an issue with your account or credit/debit card that needs to be addressed urgently to ensure continued use. Or it could be from a streaming service asking you to update your personal information or payment details. Fraudsters are even riding on COVID-19 pandemic fears by sending fake updates directing you to a link for more helpful resources.

4. Spoofed Number or Caller ID

Using a spoofed number for a smishing attack often makes it more believable. Phone number spoofing is of itself not illegal in the US as long as it is not meant for wrongdoing. Telcos and regulators have sought to reduce number spoofing in recent years but the problem persists. Also, some popular caller ID apps such as Truecaller can be used to spoof caller/sender names though this only works if the recipient has the app installed and is using it as their default messaging/calling app.

Where caller number or ID spoofing is not an option, criminals will instead use language within the message that makes it seem like it originated from a credible source such as your bank, utility, or media streaming service.

Protect Yourself from Smishing

You cannot completely avoid being the target of SMS phishing. The best you can do is ignore, report then delete the message. Deletion is important since as long as the message stays in your inbox, there is always the risk that you could accidentally click on the link in future, the result of which may be a malware infection.

The realization that you are dealing with a SMS phishing attack may come to you along the process. Whether it’s after opening the message, clicking on a link, or providing information. When it does, stop immediately. If you clicked the link, install or update your phone’s antivirus then run a full device scan. In case you have shared confidential information, take appropriate remedial action depending on what data it involves. That could for example mean canceling your credit/debit card or filing fraud watch reports with credit bureaus. 

Suspect you could be the target of SMS phishing? Contact us today to schedule a consultation! Call 225-315-3498 or reach us online.

 

The pandemic ushered in a new era of work – and it seems it is here to stay. These days, almost three-quarters of US workers either work remotely or ‘hybrid’, spending their time both in the office or at home.  [Read more…]

Business continuity and disaster recovery are two essential, interwoven plans your business needs to have in place. Combined, these strategies enable your company to better weather unforeseen disasters, maintain resilience and keep operations up and running.  [Read more…]

Cloud storage has become a must-have for businesses of all sizes. Rather than paying for expensive, on-premises servers, companies can access limitless storage capabilities in the cloud – at a fraction of the cost.  [Read more…]

The phrase “no man is an island” feels very fitting in the context of today’s supply chains. Today, no business is an island. Thanks to the proliferation of technology, companies increasingly rely on each other for products and services. Digitally, we are more connected than ever. [Read more…]

When it comes to lowering costs, boosting employee productivity and improving business efficiency, the cloud is a holy grail for small and medium-sized businesses.  [Read more…]

You’ve heard of malware and ransomware. Now, it’s time to learn a new term: Bossware. Don’t worry. Bossware isn’t a new type of hacking software you need to worry about. It’s actually something that you can use to your advantage.  [Read more…]

Users often seek out virus removal after a virus has been wreaking havoc on their system for far too long. Most of the malware used today is designed to spread quickly to other devices on the same network, so time is of the essence when detecting a potential infection. [Read more…]

Did you know that most data breaches aren’t the result of some big hack by clever criminals? They’re the result of businesses lacking basic cybersecurity best practices. [Read more…]

When you get a phishing email, it’s often not a single hacker on the other end of the attack. Many times, it’s a large criminal organization that treats phishing attacks as a business, thus they are always working to optimize them to get more money from victims. [Read more…]