- Smishing attacks differ from ordinary phishing attacks in significant ways.
- It’s important to be aware of smishing tactics and how they work.
- Effective smishing prevention is possible with the right security tactics.
By now we are all too familiar with phishing attacks. They have received lots of press coverage and are at the heart of many cyberattacks. But hackers are getting more specialized and have turned towards other variations, one of which goes by the term smishing. This is a combination of social engineering techniques that are sent over SMS texts rather than using the typical emails that traditional phishing lures use. SMS phishing, get it? In Verizon’s 2020 mobile security index, they found that 15% of enterprise users encountered a smishing link in Q3 2019.
“Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.”
How Smishing Attacks Work
As mentioned in this piece in ZDnet, your text messages generally fall into three categories:
- From people you know really well and regularly are in touch with, such as friends and family members,
- From people that you don’t know and are clearly spam annoyances, and
- texts that aren’t so obvious one way or another.
It is this last category that is the smisher’s stock in trade. Criminals try to get you to believe that they are a trusted correspondent and then you will give them your account information. They could be texts notifying you about a package that has shipped, or about your Amazon account or a text that appears from one of your business partners.
It is in this gray area where things get interesting. “A typical smishing scam message may seem like it’s from a bank – maybe your bank – and include a link or phone number to bait you into clicking or calling,” says the FCC in this warning about smishing. Here is a good demonstration of a typical bank smishing scheme.
“People are often less watchful for suspicious messages on their phones than on their computers: they’re more likely to open a potentially suspicious text message than an email message,” says this post on CSOonline. That post lists three different types of smishes:
- Ones that try to get your credentials, such as your password or bank account number.
- Ones that try to get you to download malware.
- Ones that try to get you to send money. Those Nigerian royal entreaties still plague the texting world too.
More Clever Cases
Criminals are continuing to go beyond these simple lures, however. In one rather sophisticated 2017 case, a criminal gets you to use your bank’s step-up authentication to send you a real text authentication query, which the attacker then uses to compromise your account. In another case from 2018, Brain Krebs describes how one criminal combined smishing with using a cardless ATM transaction (meaning just using a mobile phone for withdrawals) to steal funds. This is certainly a fruitful area and you can expect more innovation to come. This post from Inky, an anti-phishing vendor, has lots more to say about recent innovations in phishing and related scams.
How to Prevent Smishing
Here are some suggestions on how to be more discerning about the texts you receive, and ways to stop a potential smishing attack.
- Don’t respond to any calls to action you get via texts. Almost every text message is read, according to surveys. And almost half have quick responses. Think before you click on the links or call the phone number listed. Better yet, don’t respond or click or call. This includes sending back a “Stop” message. Just hit the delete key.
- If you feel you have to respond, do it out of band. Go to the FedEx website and track your package that way. Call your bank directly to see if you have a fraud alert. Here is a Tweet stream that shows the lengths that one person went through to research and vet one text.
- Is something out of character? Is this a text out of the blue from some long-lost correspondent? Or does it contain (one or more) simple grammatical errors? Or is an offer of money too good to be true? That is because it isn’t. The IRS or Social Security Administration won’t send you texts.
- Add the smishing originating number to your block/junk list. Block unknown senders on your phone or use your phone provider’s blockers.
- Secure your phone. In a previous blog post, we recommend numerous actions to take. This should include the review of your phone’s and social media privacy settings periodically. Apps such as The Data Detox kit, Jumbo and Priiv are useful to help with this task.
Take a Holistic Approach to Your Mobile Device Security
The tactics outlined above will help you deal with potential smishing threats, but it’s still important to think about mobile security from a broader perspective. Network Solutions offers the perfect tool to help you do just that, with Cyber Security Solution. Stop breaches before they happen and take advantage of a 24/7 Cyber Security Operations Center, among other helpful features. It’s one more way we help you stay safe on every device.