What Is Smishing And How To Spot This Attack
Smishing
Smishing attacks are on the rise and we are all vulnerable targets. Smishing is not a new tactic but given that worldwide mobile device traffic is up 222% in the past seven years, it’s no wonder we’re seeing an increase in attacks targeted at mobile devices.
Image by broandbandsearch.com
According to the 2020 State of Mobile Phishing report by Lookout, “Quarter over quarter, there is an upward trend in mobile phishing over the last 15 months. Most notably, there’s almost a 37% jump from 4Q2019 to 1Q2020.” The report also shows that smishing and mobile phishing threats could cost an organization with 50,000 mobile devices as much as $150 million per year.
What is Smishing?
The term, smishing is a portmanteau that combines the term, SMS (text messaging) and the word, phishing (sms + phishing = smishing). As you may have guessed, smishing is phishing that uses SMS and similar types of text messaging. (If you are not familiar with phishing, read this Between The Hacks phishing blog to learn more, see examples of advanced phishing attacks, and how to prevent becoming a victim of a phishing attack.) Despite the name, smishing does not have to be delivered as an SMS text message. Smishing attackers will use any form of text or chat messaging that they can, such as Facebook Messenger, WhatsApp, GroupMe, Discord, Slack, or any other text-based mobile application or service. The attraction of attackers to use smishing is not only the increase in mobile device use, but the way that we use mobile devices can also be a factor. Below are four more reasons why smishing is popular and successful.
Mobile device users are more likely to be on the go and less likely to have their guard up.
Generally, people are familiar with phishing attacks and don’t think about those same attacks coming through chat tools.
It is more difficult to identify a malicious or suspicious link on a mobile device due to the small screen and difficulty in revealing the true destination of links.
Many links being delivered through chat tools and social media are shortened URLs which don’t allow the recipient to scrutinize if the URL is suspicious, unless they use a third-party URL lengthening tool.
Examples of Smishing
A Smishing message may look like an alert from a courier service, a notification from a well-known bank or company, or even an announcement about the recipient winning a prize. As mobile numbers are tied to so many online accounts, sometimes the attacker will know the name of the target and include that in the message to add credibility. Below are some smishing examples to help you better understand and identify these types of attacks.
Howtogeek.com shared a package delivery smishing scam that could become very costly for a victim who is not paying close attention to the fine print. This attack starts with an SMS text message, informing the recipient that they have a FedEx package that needs the recipient’s delivery preference.
When the recipient clicks on the link, they are taken to a fake Amazon website where the recipient is informed that if they fill out a short survey, they will be given a change to receive a “Thank You” gift that is worth at least $100. As you can see in the image below, the web page looks and feels very much like the Amazon website.
After completing the survey and accepting the gift, HowToGeek states, “The real scam resides in the fine print. By agreeing to pay the small shipping fee, you’re also signing up for a 14-day trial to the company that sells the scammy products. After the trial period, you will be billed $98.95 every month and sent a new supply of whatever item you claimed as a reward.”
Scams are not the only style of smishing. Just like traditional phishing, many smishing attacks are trying to trick the recipient into sharing sensitive information or login credentials.
As you can see in the image below, there are three smishing examples. A fake bank security text, a free data offer that is using the target’s name, and a social engineering attack in Facebook messenger.
Example of smishing from the 2020 State of Mobile Phishing report by Lookout
And when you click or tap on the smishing link, you may be directed to a page that looks almost exactly like the valid website. You can see in the image below, there is little difference between the fake page and real page.
How to Identify and Protect Against Smishing
While it is more difficult to identify some smishing attacks vs. a phishing email, there are some things that you can do.
Don’t respond to messages from phone numbers or accounts you are not familiar with.
Check the phone number or code that sent the message. If it’s not familiar, look it up online and see if there are other reports of spam or smishing coming from that number.
Often, a “smishing message will come from a "5000" number instead of displaying an actual phone number. This usually indicates the text message was sent via email to the cell phone, and not sent from another cell phone” shares, Intuit.
If you’re not expecting a message, be very cautious. If you place an order for food delivery and are instantly sent a text message with a link to check the status, it’s likely safe. If you receive a similar text message and did not place an order, be very cautious and log into the app or website directly to verify the order.
If you’ve become the target of a smishing attack, HowToGeek recommends blocking the number immediately. iPhone and Android users both have access to built-in spam-blocking tools that should help cut down on the number of fake messages.
