What is Smishing?
Smishing or SMS phishing is a form of social engineering that uses a text message to contact the victim, often with an embedded hyperlink to move the attack out of the limited text message environment. While some people may think that an old-fashioned SMS text message is intrinsically less dangerous than an email, an openable link is a link wherever it is.
Mobile usage has exploded in the last decade with 5 billion mobile users, 35 billion app downloads a year, and in the UK, 4-fifths of online time being spent on a mobile phone. If you launch an electronic social engineering attack, there is a good chance that attack is going to land on a mobile device. So in this article we are going to look at mobile phishing, including sms based smishing, but looking beyond that at the specific risks and defences relating to social engineering attacks on mobile devices.
How Popular are Smishing Attacks?
Fraudulent SMS messages are very common, with millions being sent every year, in a recent study 84% of companies reported having Smishing attacks against their company. While not as common as email based phishing attacks, the ease with which SMS can be sent, and the difficulty of blocking SMS messages from arriving, make this a popular and effective method.
Smishing is popular vector for scammers, usually sending bulk SMS messages to individuals. This SMS Spam is relatively unsophisticated because of the large number of messages sent out.
What do they want?
SMS attacks are predominantly looking for two types of information:
-Online account credentials, especially banking.
-Personal information to use for identity theft and credit fraud.
How Does Smishing Work?
Like all forms of social engineering including vishing and phishing attacks, Smishing leverages psychology and the principles of persuasion to get the victim to act. Commonly used principles include URGENCY -Act now to stop your account being taken over” and AUTHORITY – “I am the government -click this link to get a support grant”. Here are some commonly used themes in SMS smishing attacks: