What is smishing? Don’t be fooled by SMS phishing scams

 Which type of phishing technique involves sending text messages to a potential victim’s smartphone? If you answered ‘smishing’, you’d be right. Read on to explore why this online threat is often more effective than its email counterpart, what most smishing attacks look like, and why cybercriminals are desperate for your phone number. Nowadays it’s not love that comes (cold) calling. So, help keep yourself safer from all types of malware and even the latest online threats with Avira Free Security.

 

What is smishing? And don’t you mean phishing? Or vishing?

Remember old-school fishing, where naïve fish are fooled into thinking that worms willingly hang themselves into bodies of water, waiting to be eaten? If the fish bites, the consequences for them are dire. Then came a land-based, digital equivalent: Phishing. During this malicious online attack, cybercriminals try to acquire information (such as usernames, passwords, credit card details, and eventually money) by masquerading as a trustworthy entity via email. In this way, electronic communication is now the fat ‘worm’ and if you’re an unthinking ‘fish’, you’ll think of every email as legitimate and happily bite (click) it. Less wellknown is a type of phishing that targets victims through SMS (short message service) or text messages. By blending SMS and phishing, ‘smishing’ was born and its goals are the same. The fraudster sends deceptive text messages to lure victims into clicking on malicious links, opening harmful attachments and, ultimately, sharing personal or financial information. It’s phishing in a text form, so your mobile phone becomes the attack form. Like its email-based cousin, these deceptive messages try to appear as if they’re from legitimate sources, like Amazon, PayPal, your post office or tax office. “Your account has been suspended!”. “Someone has tried to reset your password.” “A request for a new payee has been made on your account!”. They use a sense of urgency to manipulate the recipient into taking specific action and we’re driven to act without thinking, driven by fear, anger or plain curiosity.

There’s also vishing, oh my! If you’re feeling confused, see the handy overview below. Smishing is just one of five common types of phishing attacks. Here’s how they work and how to tell them apart.

  1. Email phishing is still the most common. The scammer usually registers a fake domain that mirrors a real one and sends out thousands or general requests. Look out for non-personal greetings and spelling mistakes in the email. Hover over the email address and you’ll usually see that it may include a character substitution like an “r” instead of an “n”. Sometimes, the legitimate organisation’s name appears in an altered form, like “amazonservice.com” instead of “amazon.com”: “Hello value customer, your account has been locked…”
    Find out how to spot phishing attempts and help avoid them.
  2. Spear phishing is email phishing but tailored to a specific person to make it sound more believable. In this case, the scammer has done their homework, and found out personal details, like the recipient’s name, address, and job title:Dear Dr Smith, there has been unexpected activity in your Barclays account and…”
  3. Whaling is email phishing that takes aim at the big guys! These emails are usually harpooned at senior executives and pretend to be from the company’s busy CEO, often requesting a favour. The staff may be too nervous not to do as their boss has ‘asked’: “Hi Rose, am at the airport, and don’t have my login for the VPN…”
  4. Smishing is telephone-based and uses fraudulent text messages to trick you into revealing personal data: “Click on this link to track your missing parcel…”
  5. Vishing or voice phishing also uses telephones but instead of texts, scammers make phone calls or robocalls, leave voicemails or call via voice over internet protocol (VoIP). If you answer, you might be put through to an ‘agent’ who’ll need your personal details of course: “You were recently involved in a car accident…”

All the above have important traits in common: They’re forms of social engineering, meaning that they exploit our trust and manipulate us psychologically, rather than using technology to hack their way into our computers. They’re also all attempts at identity fraud, but they differ in how the scammers contact you: by email, text or phone. Many people still equate phishing with emails only, but the reality is that you need to beware of whatever medium you’re communicating in!

Explore the two types of smishing—and why they’re popular with cybercriminals

Even within the field of smishing, there are two different types but unlike email phishing, all these names are fish-free. Firstly, there’s the text smishing that you’re already an expert on after carefully reading the previous section. You’re asked by SMS to click on a link or call a number. These come in a variety of flavours depending on who the scammer is impersonating.

Purists might argue that instant messaging smishing isn’t really smishing as it uses instant messenger freeware like Facebook Messenger or WhatsApp instead of SMS. Its intent is inarguably ‘phishy’ though as the goal of the attack is for you to provide personal data, including passwords and/or credit card numbers, to the threat actor. You might be promised a special offer or a prize. If the message is from a stranger, it’s a good indicator that you could be the target of a scam but remember that these attacks can also appear to come from people you know and are connected to! Their social media account may have been hacked. Trust no one implicitly online—not even your mother. 

Smishing remains a popular choice of scam for several reasons: It’s relatively easy to spoof a phone number with a burner phone or use software to send texts by email. Thanks to the smaller screen on mobile devices, it can be harder to spot dangerous links—nor can you hover over the link to see where it leads. In 2020, the Federal Communications Commission (FCC) in the US launched an industry-wide initiative to help prevent fraudsters from scamming consumers and businesses through robocalls and illegal phone number spoofing. Telecom companies in America had to adopt the STIR/SHAKEN protocol for caller ID authentication, which is why you see “scam/spam likely” when you receive some unknown calls. It doesn’t rule out scam texts though, much to the relief of cybercriminals.

How smishing works

Smishing scams follows a similar process to email phishing and combines technological and psychological tactics to manipulate victims. Cyber-attackers typically follow these steps:

STEP 1: Picking the victims: First, cybercriminals select their targets. They either pick numbers from a random list in their possession, or target specific individuals based on data obtained from previous breaches. This information can often be found on the dark web.

STEP 2: Crafting the message: Then they create a text message that evokes a specific reaction or an emotion like fear, sympathy, or curiosity. This message typically includes a (usually urgent) call to action. Click on this link or call this number! Contact us!

STEP 3: Delivering the message: Now it’s time to unleash their wares. Cyber-attackers often use SMS gateways, which enable a computer to send and receive text messages to and from a mobile device using the global telecommunications network. Spoofing tools are another scammer aide—these generate software and hardware information designed to fool monitoring systems. Find out more about the many types of spoofing here.

STEP 4: Interacting with the victim: Once the message has arrived, the scammer gets lucky if the victim engages with them and takes the action intended (like claiming the lottery money they haven’t won or calling the fake tech support “technician” via the number provided). They might land on a fraudulent website where they give away their personal or financial data or download malicious software onto their device. If they call a number, they may be tricked into providing private information or incurring unexpected charges.

STEP 5: Scamming the victim: If the victim has acted, it’s the attacker’s turn again. Armed with the necessary information, they can carry out any number of malicious scams, including identity theft and unauthorised transactions. They can also sell the sensitive data on the black market or use it to carry out other targeted attacks. 

STEP 6: Evolving and evading: The scammer’s work is never done as they constantly need to change their tactics, phone numbers, and the techniques they use to conceal their location and identity.

Beware of these common examples of smishing attacks!

Fake stories. People dressed as virtual cops. Online subterfuge. Welcome to a murky world of deception via SMS. Fortunately, you’re too savvy to fall for these tricks. We’ve summed up common virtual disguises so you can whip off a scammer’s mask with ease.

Whatever the details of the scam, you’ll notice that smishing attempts are formulaic. They contain unusual URLs or random phone numbers that don’t follow the typical digit layout or use a series of the same numbers. They’re also often the bearers of bad news—or a prize that’s too good to be true—and they employ urgency. Remember: If it’s hurrying you, slow down and think twice!

The rise and rise of smishing

In a report by telecommunications experts ENEA, 61% of enterprises suffer significant losses to mobile fraud, with smishing and vishing being the most prevalent and costly. The same report shows that since the launch of ChatGPT in November 2022, these attacks have increased by a staggering 1,265%! Given that SMS has eight times the response rate of email, it’s no wonder that it’s a favourite cybercrime tool. In fact, Verizon reports that 85% of phishing attacks come from channels beyond email, like messaging, social and productivity apps.

Smishing attacks are conquering the malware market, driven by an absence of SMS sender authentication. Telecommunications companies must do more, but currently, no one is immune to the onslaught. In 2021, millions of malicious text messages were sent across Vodafone’s network, infecting Android devices with Flubot malware, and prompting the telecom giant to issue a warning via Twitter. It’s always vital to scan your devices regularly for malware and run malware tests.

It takes a human to click on the link, so be sure to follow our anti-smishing guide and help avoid becoming an unwitting malware accomplice.

Smishing safety guide: If you’re a smishing recipient, do this

You can help prevent becoming a smishing statistic by following our AVOID-PROTECT-INSPECT protocol and being relentlessly sceptical.

Before you delete a smishing text, consider reporting it to your local cybercrime authorities. If you’re in the United Kingdom, forward it for free by SMS to 7726, send it via email to report@phishing.gov.uk or fill in this online report a suspicious scam or website form.

Help fight smishing and other online scams with Avira

Smishing, and other social engineering attacks, rely on user errors to succeed. You’re only human but help is at hand. Stay informed, be vigilant, and deploy a suite of multi-layered online protection and privacy for your devices. Avira Free Security cunningly combines privacy, protection, and performance-enhancing software as a single solution. Help store and manage strong passwords, update software, help clean up what’s slowing your device down—and of course, stay safer online with trusted antivirus.

 

This post is also available in: GermanFrenchItalian

Exit mobile version