By now we are all too familiar with phishing attacks. They have received lots of press coverage and are at the heart of many cyberattacks. But hackers are getting more specialized and have turned towards other variations, one of which goes by the term smishing. This is a combination of social engineering techniques that are sent over SMS texts rather than using the typical emails that traditional phishing lures use. SMS phishing, get it? In Verizon’s 2020 mobile security index, they found that 15% of enterprise users encountered a smishing link in Q3 2019.
There are citations that date back at least ten years with the term, according to Webster’s online dictionary. The US-CERT defines smishing this way:
“Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.”
As mentioned in this piece in ZDnet, your text messages generally fall into three categories:
It is this last category that is the smisher’s stock in trade. Criminals try to get you to believe that they are a trusted correspondent and then you will give them your account information. They could be texts notifying you about a package that has shipped, or about your Amazon account or a text that appears from one of your business partners.
It is in this gray area where things get interesting. “A typical smishing scam message may seem like it’s from a bank – maybe your bank – and include a link or phone number to bait you into clicking or calling,” says the FCC in this warning about smishing. Here is a good demonstration of a typical bank smishing scheme.
“People are often less watchful for suspicious messages on their phones than on their computers: they’re more likely to open a potentially suspicious text message than an email message,” says this post on CSOonline. That post lists three different types of smishes:
Criminals are continuing to go beyond these simple lures, however. In one rather sophisticated 2017 case, a criminal gets you to use your bank’s step-up authentication to send you a real text authentication query, which the attacker then uses to compromise your account. In another case from 2018, Brain Krebs describes how one criminal combined smishing with using a cardless ATM transaction (meaning just using a mobile phone for withdrawals) to steal funds. This is certainly a fruitful area and you can expect more innovation to come. This post from Inky, an anti-phishing vendor, has lots more to say about recent innovations in phishing and related scams.
Here are some suggestions on how to be more discerning about the texts you receive, and ways to stop a potential smishing attack.
The tactics outlined above will help you deal with potential smishing threats, but it’s still important to think about mobile security from a broader perspective. Network Solutions offers the perfect tool to help you do just that, with Cyber Security Solution. Stop breaches before they happen and take advantage of a 24/7 Cyber Security Operations Center, among other helpful features. It’s one more way we help you stay safe on every device.
Images: Shutterstock