Which type of phishing technique involves sending text messages to a potential victim’s smartphone? If you answered ‘smishing’, you’d be right. Read on to explore why this online threat is often more effective than its email counterpart, what most smishing attacks look like, and why cybercriminals are desperate for your phone number. Nowadays it’s not love that comes (cold) calling. So, help keep yourself safer from all types of malware and even the latest online threats with Avira Free Security.
What is smishing? And don’t you mean phishing? Or vishing?
Remember old-school fishing, where naïve fish are fooled into thinking that worms willingly hang themselves into bodies of water, waiting to be eaten? If the fish bites, the consequences for them are dire. Then came a land-based, digital equivalent: Phishing. During this malicious online attack, cybercriminals try to acquire information (such as usernames, passwords, credit card details, and eventually money) by masquerading as a trustworthy entity via email. In this way, electronic communication is now the fat ‘worm’ and if you’re an unthinking ‘fish’, you’ll think of every email as legitimate and happily bite (click) it. Less well–known is a type of phishing that targets victims through SMS (short message service) or text messages. By blending SMS and phishing, ‘smishing’ was born and its goals are the same. The fraudster sends deceptive text messages to lure victims into clicking on malicious links, opening harmful attachments and, ultimately, sharing personal or financial information. It’s phishing in a text form, so your mobile phone becomes the attack form. Like its email-based cousin, these deceptive messages try to appear as if they’re from legitimate sources, like Amazon, PayPal, your post office or tax office. “Your account has been suspended!”. “Someone has tried to reset your password.” “A request for a new payee has been made on your account!”. They use a sense of urgency to manipulate the recipient into taking specific action and we’re driven to act without thinking, driven by fear, anger or plain curiosity.
There’s also vishing, oh my! If you’re feeling confused, see the handy overview below. Smishing is just one of five common types of phishing attacks. Here’s how they work and how to tell them apart.
- Email phishing is still the most common. The scammer usually registers a fake domain that mirrors a real one and sends out thousands or general requests. Look out for non-personal greetings and spelling mistakes in the email. Hover over the email address and you’ll usually see that it may include a character substitution like an “r” instead of an “n”. Sometimes, the legitimate organisation’s name appears in an altered form, like “amazonservice.com” instead of “amazon.com”: “Hello value customer, your account has been locked…”
Find out how to spot phishing attempts and help avoid them. - Spear phishing is email phishing but tailored to a specific person to make it sound more believable. In this case, the scammer has done their homework, and found out personal details, like the recipient’s name, address, and job title: “Dear Dr Smith, there has been unexpected activity in your Barclays account and…”
- Whaling is email phishing that takes aim at the big guys! These emails are usually harpooned at senior executives and pretend to be from the company’s busy CEO, often requesting a favour. The staff may be too nervous not to do as their boss has ‘asked’: “Hi Rose, am at the airport, and don’t have my login for the VPN…”
- Smishing is telephone-based and uses fraudulent text messages to trick you into revealing personal data: “Click on this link to track your missing parcel…”
- Vishing or voice phishing also uses telephones but instead of texts, scammers make phone calls or robocalls, leave voicemails or call via voice over internet protocol (VoIP). If you answer, you might be put through to an ‘agent’ who’ll need your personal details of course: “You were recently involved in a car accident…”
All the above have important traits in common: They’re forms of social engineering, meaning that they exploit our trust and manipulate us psychologically, rather than using technology to hack their way into our computers. They’re also all attempts at identity fraud, but they differ in how the scammers contact you: by email, text or phone. Many people still equate phishing with emails only, but the reality is that you need to beware of whatever medium you’re communicating in!
Explore the two types of smishing—and why they’re popular with cybercriminals
Even within the field of smishing, there are two different types but unlike email phishing, all these names are fish-free. Firstly, there’s the text smishing that you’re already an expert on after carefully reading the previous section. You’re asked by SMS to click on a link or call a number. These come in a variety of flavours depending on who the scammer is impersonating.
Purists might argue that instant messaging smishing isn’t really smishing as it uses instant messenger freeware like Facebook Messenger or WhatsApp instead of SMS. Its intent is inarguably ‘phishy’ though as the goal of the attack is for you to provide personal data, including passwords and/or credit card numbers, to the threat actor. You might be promised a special offer or a prize. If the message is from a stranger, it’s a good indicator that you could be the target of a scam but remember that these attacks can also appear to come from people you know and are connected to! Their social media account may have been hacked. Trust no one implicitly online—not even your mother.
Smishing remains a popular choice of scam for several reasons: It’s relatively easy to spoof a phone number with a burner phone or use software to send texts by email. Thanks to the smaller screen on mobile devices, it can be harder to spot dangerous links—nor can you hover over the link to see where it leads. In 2020, the Federal Communications Commission (FCC) in the US launched an industry-wide initiative to help prevent fraudsters from scamming consumers and businesses through robocalls and illegal phone number spoofing. Telecom companies in America had to adopt the STIR/SHAKEN protocol for caller ID authentication, which is why you see “scam/spam likely” when you receive some unknown calls. It doesn’t rule out scam texts though, much to the relief of cybercriminals.
How smishing works
Smishing scams follows a similar process to email phishing and combines technological and psychological tactics to manipulate victims. Cyber-attackers typically follow these steps:
STEP 1: Picking the victims: First, cybercriminals select their targets. They either pick numbers from a random list in their possession, or target specific individuals based on data obtained from previous breaches. This information can often be found on the dark web.
STEP 2: Crafting the message: Then they create a text message that evokes a specific reaction or an emotion like fear, sympathy, or curiosity. This message typically includes a (usually urgent) call to action. Click on this link or call this number! Contact us!
STEP 3: Delivering the message: Now it’s time to unleash their wares. Cyber-attackers often use SMS gateways, which enable a computer to send and receive text messages to and from a mobile device using the global telecommunications network. Spoofing tools are another scammer aide—these generate software and hardware information designed to fool monitoring systems. Find out more about the many types of spoofing here.
STEP 4: Interacting with the victim: Once the message has arrived, the scammer gets lucky if the victim engages with them and takes the action intended (like claiming the lottery money they haven’t won or calling the fake tech support “technician” via the number provided). They might land on a fraudulent website where they give away their personal or financial data or download malicious software onto their device. If they call a number, they may be tricked into providing private information or incurring unexpected charges.
STEP 5: Scamming the victim: If the victim has acted, it’s the attacker’s turn again. Armed with the necessary information, they can carry out any number of malicious scams, including identity theft and unauthorised transactions. They can also sell the sensitive data on the black market or use it to carry out other targeted attacks.
STEP 6: Evolving and evading: The scammer’s work is never done as they constantly need to change their tactics, phone numbers, and the techniques they use to conceal their location and identity.
Beware of these common examples of smishing attacks!
Fake stories. People dressed as virtual cops. Online subterfuge. Welcome to a murky world of deception via SMS. Fortunately, you’re too savvy to fall for these tricks. We’ve summed up common virtual disguises so you can whip off a scammer’s mask with ease.
- Posing as a bank or other service provider:
“There’s a problem with your bank account…” or “We’ve locked your account for security reasons” are examples of these fake notifications. You’ll usually be asked about unauthorised activity or to verify your account details. If you click on the link provided, you’ll be directed to a fake website or app that is designed to steal your confidential information, like login credentials or credit card details and PINs.
- Impersonating a government authority:
“Criminal investigation division of the IRS/HMRC is filing a lawsuit against you. For more information, call…”. Here the attacker poses as a tax authority and might threaten you with arrest or financial ruin—or promise you a tax refund. Scammers also pretend to be police officers. These texts seem official and demand immediate action and personal information.
- Posing as your telecommunications company:
“As a valued XX customer, you’re now eligible for a free iPhone upgrade…”. With cellphone smishing, the intended victim receives what sounds like an offer from their mobile phone provider, such as a discount or phone upgrade. Click on the link to activate the deal—don’t! You’ll land on a spoofed web page that looks like it’s your provider’s and your account details will be scooped up as you enter them.
- Pretending to be the post office/shipping company:
“Your package has been delayed at our warehouse. To track it, please…”. Whether it’s FedEx, UPS, or Royal Mail, scammers take their pick of logistics companies and give the “customer” bad news. Usually, there’s been a problem with your delivery, or a fee must be paid.
- Offering customer support:
“We detected a login to your PayPal account from a new device on 27.04.2024 at 15:10:07. Please confirm it was you by…”. Attackers can be experts at posing as fake customer service reps from trusted brands and retailers, like Amazon or Microsoft. They usually say that there’s a problem with the victim’s account or an unclaimed refund. They might also offer troubleshooting advice.
- Posing as technical support:
“The Microsoft security team has tried to contact you regarding a security hazard on your PC…”. Users receive a text warning them of a problem with their device or account and offering a tech support number. Call this number at your peril, as it could lead to unexpected charges, or even data theft if you grant the “technician” remote access to your device.
- Warning of service disruption:
“Your card has been declined and your subscription to X premium TV will be suspended…”. The attacker warns the victim that a service they subscribe to is about to be cancelled or has already been restricted, usually due to a payment issue. You’re urged to click on a link to “resolve” the issue.
- Announcing prizes or lottery winnings:
“CONGRATULATIONS! You are the winner. Claim your cash prize before time runs out.”. Sadly, you haven’t won a prize, lottery, or the sweepstakes. To claim your fictitious reward, you’ll have to provide your personal details, click on a malicious link, or pay a small fee. You won’t receive anything but might hand over sensitive information or lose money.
- Advertising apps or entertainment:
“Play Funky Chicken Bingo today and get £10 of free tokens. Download the app now at…”. Users receive a message promoting a useful or entertaining app. Clicking on the download link could lead to malicious software like ransomware being downloaded on your device.
- Creating a scam emergency or call for help:
“A family member of yours has been in an accident. Call this premium rate number for details…”. This could be as serious as a text claiming that a loved one has been hurt or as innocuous as a Facebook friend asking for a code to regain access to their account. This may be multifactor authentication (MFA) fraud, whereby a hacker already has your username and password and now wants to steal the verification code they need. You could end up sending the hacker the MFA code to your own account!
Whatever the details of the scam, you’ll notice that smishing attempts are formulaic. They contain unusual URLs or random phone numbers that don’t follow the typical digit layout or use a series of the same numbers. They’re also often the bearers of bad news—or a prize that’s too good to be true—and they employ urgency. Remember: If it’s hurrying you, slow down and think twice!
The rise and rise of smishing
In a report by telecommunications experts ENEA, 61% of enterprises suffer significant losses to mobile fraud, with smishing and vishing being the most prevalent and costly. The same report shows that since the launch of ChatGPT in November 2022, these attacks have increased by a staggering 1,265%! Given that SMS has eight times the response rate of email, it’s no wonder that it’s a favourite cybercrime tool. In fact, Verizon reports that 85% of phishing attacks come from channels beyond email, like messaging, social and productivity apps.
Smishing attacks are conquering the malware market, driven by an absence of SMS sender authentication. Telecommunications companies must do more, but currently, no one is immune to the onslaught. In 2021, millions of malicious text messages were sent across Vodafone’s network, infecting Android devices with Flubot malware, and prompting the telecom giant to issue a warning via Twitter. It’s always vital to scan your devices regularly for malware and run malware tests.
It takes a human to click on the link, so be sure to follow our anti-smishing guide and help avoid becoming an unwitting malware accomplice.
Smishing safety guide: If you’re a smishing recipient, do this
You can help prevent becoming a smishing statistic by following our AVOID-PROTECT-INSPECT protocol and being relentlessly sceptical.
- Avoid clicking on suspicious links or attachments, phoning unknown numbers, or responding to suspicious text messages in any way. Replying to a smishing text confirms that your number is active and could lead to further attacks.
- Protect your data and device by using two-factor or multi-factor authentication for all your online accounts, downloading reputable antivirus software and regularly scanning your device for malware, especially if you’ve clicked on an unknown link. Use strong, unique passwords and change them fast if you think an account is at risk. And adhere to the golden rule: Never give out personal details, such as passwords, credit card numbers, addresses, or emails via text!
- Inspect and verify all requests from banks, service providers, and retailers directly with them. Scammers are expert impersonators, so reach out to the institution they’re claiming to represent and check with them. It’s a good habit to regularly inspect your bank statements and credit card activity too. If you notice anything suspicious, alert your bank.
Before you delete a smishing text, consider reporting it to your local cybercrime authorities. If you’re in the United Kingdom, forward it for free by SMS to 7726, send it via email to report@phishing.gov.uk or fill in this online report a suspicious scam or website form.
Help fight smishing and other online scams with Avira
Smishing, and other social engineering attacks, rely on user errors to succeed. You’re only human but help is at hand. Stay informed, be vigilant, and deploy a suite of multi-layered online protection and privacy for your devices. Avira Free Security cunningly combines privacy, protection, and performance-enhancing software as a single solution. Help store and manage strong passwords, update software, help clean up what’s slowing your device down—and of course, stay safer online with trusted antivirus.
