In SMS phishing (also known as smishing), a cyber attacker uses a text message to deceive or manipulate their target into sharing confidential information or granting access. Smishing can be a doorway to malware infection, data theft, sabotage and a raft of other unwelcome consequences. The Federal Trade Commission found that 22 percent of all fraud reports were the result of smishing.
22 percent of all fraud reports were initiated by text
SMS phishing is a more potent threat than email phishing. First, the number of daily active mobile phone users exceeds the number of daily active Internet users. Second, people tend to read and respond/react to SMS quicker than they do an email. Third, SMS phishing can take advantage of the ‘mini computer’ nature of the smartphone. Many people’s ‘entire lives’ live on their phones — from bank apps to family photos.
What traits of SMS phishing should you be on the lookout for?
1. Sounds Realistic, Relatable and Legitimate
There is no training that phishing attackers attend. Thus, the sophistication of smishing messages varies enormously. The more amateurish texts are easy to recognize as a scam. On the other hand, the more well thought out messages sound realistic, relatable and legitimate. These may be highly targeted to conform with the realities of the recipient including their name, title, and work/home address.
For this reason, err on the side of caution. Whenever you receive a message that purports to originate from your employer, bank, utility, hotel, members club, or government, urging you to click a link or provide sensitive information, don’t. Contact the organization directly and confirm that the text is authentic.
2. Contains Links
Given the character limit on text messages, smishing attacks will often involve a brief message followed by a prompt to click a link. This is unlike email phishing where there may be a sizable multi-paragraph message. SMS phishing links will mostly rely on URL shorteners to make the most of the character limit. At the same time, the URL shorteners help disguise fake links.
URL shorteners maximize the character limit and help disguise fake links
The link will send you to a website where you are asked to enter confidential information such as credit card numbers, login credentials, customer details, employee data, organization documents and more. At other times, the link will trigger the download of malware on your phone. The end goal is unauthorized access, identity fraud, data theft or some other form of criminal action.
3. Conveys Urgency and/or Fear
Smishing messages come with a compelling offer or a worrisome scenario, either of which is meant to drive you into urgently doing what the criminal wants. It is after all a form of social engineering with the attacker manipulating your emotions to get you to respond quickly.
For example, a text allegedly sent by your bank due to an issue with your account or credit/debit card that needs to be addressed urgently to ensure continued use. Or it could be from a streaming service asking you to update your personal information or payment details. Fraudsters are even riding on COVID-19 pandemic fears by sending fake updates directing you to a link for more helpful resources.
4. Spoofed Number or Caller ID
Using a spoofed number for a smishing attack often makes it more believable. Phone number spoofing is of itself not illegal in the US as long as it is not meant for wrongdoing. Telcos and regulators have sought to reduce number spoofing in recent years but the problem persists. Also, some popular caller ID apps such as Truecaller can be used to spoof caller/sender names though this only works if the recipient has the app installed and is using it as their default messaging/calling app.
Where caller number or ID spoofing is not an option, criminals will instead use language within the message that makes it seem like it originated from a credible source such as your bank, utility, or media streaming service.
Protect Yourself from Smishing
You cannot completely avoid being the target of SMS phishing. The best you can do is ignore, report then delete the message. Deletion is important since as long as the message stays in your inbox, there is always the risk that you could accidentally click on the link in future, the result of which may be a malware infection.
The realization that you are dealing with a SMS phishing attack may come to you along the process. Whether it’s after opening the message, clicking on a link, or providing information. When it does, stop immediately. If you clicked the link, install or update your phone’s antivirus then run a full device scan. In case you have shared confidential information, take appropriate remedial action depending on what data it involves. That could for example mean canceling your credit/debit card or filing fraud watch reports with credit bureaus.
Suspect you could be the target of SMS phishing? Contact us today to schedule a consultation! Call 225-315-3498 or reach us online.