What is Smishing?
Smishing or SMS phishing is a form of social engineering that uses a text message to contact the victim, often with an embedded hyperlink to move the attack out of the limited text message environment. While some people may think that an old-fashioned SMS text message is intrinsically less dangerous than an email, an openable link is a link wherever it is.
Mobile usage has exploded in the last decade with 5 billion mobile users, 35 billion app downloads a year, and in the UK, 4-fifths of online time being spent on a mobile phone. If you launch an electronic social engineering attack, there is a good chance that attack is going to land on a mobile device. So in this article we are going to look at mobile phishing, including sms based smishing, but looking beyond that at the specific risks and defences relating to social engineering attacks on mobile devices.
How Popular are Smishing Attacks?
Fraudulent SMS messages are very common, with millions being sent every year, in a recent study 84% of companies reported having Smishing attacks against their company. While not as common as email based phishing attacks, the ease with which SMS can be sent, and the difficulty of blocking SMS messages from arriving, make this a popular and effective method.
Smishing is popular vector for scammers, usually sending bulk SMS messages to individuals. This SMS Spam is relatively unsophisticated because of the large number of messages sent out.
What do they want?
SMS attacks are predominantly looking for two types of information:
-Online account credentials, especially banking.
-Personal information to use for identity theft and credit fraud.
How Does Smishing Work?
Like all forms of social engineering including vishing and phishing attacks, Smishing leverages psychology and the principles of persuasion to get the victim to act. Commonly used principles include URGENCY -Act now to stop your account being taken over” and AUTHORITY – “I am the government -click this link to get a support grant”. Here are some commonly used themes in SMS smishing attacks:
6 Ways to Spot a Smish or SMS Scam Text
Most organisations don’t communicate important or urgent things by SMS – If its urgent, like a fraudulent transaction, they will phone you. If it’s important they usually send an email or letter.
Bearing that in mind, here are a few ways to spot Smish or scam text message.
1. The message is out of character
Your bank won’t send you links by text to update your details and Amazon isn’t in the business of sending out free vouchers.
2. The website link is different/ overly complex
If the link has a different name or extra punctuation it might not be from the claimed sender.
The message will often say that something disastrous has happened that needs dealing with immediately. Your bank account is locked! Your identity has been stolen! It will need dealing with before you have a chance to think about it.
4. Too good to be true
– You’ve won something! Have you really?
5. The message is impersonal
Because attackers need to send out so many of these messages, and because they don’t know much about the victim, they need to keep the messages as general as possible.
Many organisations use specific short-code SMS messages which have 6 or 10-digit length numbers, as opposed to our ordinary 11-digit numbers. If a large organisation is apparently texting you from an ordinary phone number, this could be a red flag.