It was inevitable that cyber criminals would begin to target mobile devices to access company data and text messaging is the obvious gateway to entry.
Do you remember the last time you’ve interacted with a brand, political cause, or fundraising campaign via text message? Have you noticed these communications occurring more frequently as of late?
Marketers know that around 98% of SMS messages are read within seconds of being received.
As with any development in how we communicate, the rise in brand-related text messaging has attracted scammers looking to profit. With this we arrive at a funny new word in the cybersecurity lexicon, “smishing.”
SMS + Phishing = Smishing
For the rest of us, smishing is the act of using text messages to trick individuals into divulging sensitive information, visiting a risky site, or downloading a malicious app onto a smartphone. These harmless looking messages might ask you to confirm banking details, verify account information, or subscribe to an email newsletter via a link delivered by SMS.
As with phishing emails, the end goal is to trick a user into an action that plays into the hands of cybercriminals. Shockingly, smishing campaigns often closely follow natural disasters as scammers try to prey on the charitable to divert funds into their own pockets.
Smishing vs Vishing vs Phishing
Smishing, as described above, uses text messages to extract the sought-after information. Different smishing techniques are discussed below.
Vishing is when a fraudulent actor calls a victim pretending to be from a reputable organization and tries to extract personal information, such as banking or credit card information.
Phishing is any type of social engineering attack aimed at getting a victim to voluntarily turn over valuable information by pretending to be a legitimate source. Both smishing and vishing are variations of this tactic.
Examples of Smishing Techniques
Enterprising scammers have devised a number of methods for smishing smartphone users. Here are a few popular techniques to be aware of:
1. Sending a link that triggers the downloading of a malicious app. Clicks can trigger automatic downloads on smartphones the same way they can on desktop internet browsers. In smishing campaigns, these apps are often designed to track your keystrokes, steal your identity, cede control of your phone to hackers, or encrypt the files on your phone and hold them for ransom.
2. Linking to information-capturing forms. In the same way many email phishing campaigns aim to direct their victims to online forms where their information can be stolen, this technique uses text messages to do the same. Once a user has clicked on the link and been redirected, any information entered into the form can be read and misused by scammers.
3. Targeting users with personal information. In a variation of spear phishing, committed smishers may research a user’s social media activity in order to entice their target with highly personalized bait text messages. The end goal is the same as any phishing attack, but it’s important to know that these scammers do sometimes come armed with your personal information to give their ruse a real feel.
4. Referrals to tech support. Again, this technique is a variation on the classic tech support scam, or it could be thought of as the “vish via smish.” An SMS message will instruct the recipient to contact a customer support line via a number that’s provided. Once on the line, the scammer will try to pry information from the caller by pretending to be a legitimate customer service representative.
How to Prevent Smishing
Look for all the same signs you would if you were concerned an email was a phishing attempt:
1) Check for spelling errors and grammar mistakes
2) Visit the sender’s website itself rather than providing information in the message
3) Verify the sender’s telephone address to make sure it matches that of the company it purports to belong to.
Never provide financial or payment information on anything other than the trusted website itself.
Don’t click on links from unknown senders or those you do not trust
Be wary of “act fast,” “sign up now,” or other pushy and too-good-to-be-true offers.
Always type web addresses in a browser rather than clicking on the link.
Install a mobile-compatible antivirus on your smart devices.