Smishing attacks are on the rise. Cybercriminals have been turning to the Short Message Service – SMS – to conduct phishing campaigns to gather personal information for identity theft and fraud. Smishing is also used to fool mobile device users into installing malware.
Like phishing emails, smishing attacks use social engineering techniques to get users to complete a specific action, often to click on a link that will direct them to a webpage where they are asked to provide sensitive information or to download a file to their device. Most commonly, the aim of smishing is to obtain personal information such as usernames and passwords to online bank accounts.
Many organizations have implemented spam filtering solutions that capture phishing emails and prevent them from being delivered to end users’ inboxes. Security awareness training is also provided, with the threat of phishing explained to employees. However, the best practices that are taught are not always applied to SMS messages and spam controls do not block SMS messages.
In contrast to emails, which are often ignored, people also tend to access their SMS messages much more rapidly than emails. Text messages are typically opened within seconds, or minutes, of them being received. Cybercriminals are well aware that their malicious MS messages will be opened and read.
Cybercriminals use the same techniques for smishing attacks that are used on email phishing scams. The messages inject a sense of urgency, requiring an action to be taken quickly. The messages are designed to grab attention, with security threats one of the most common themes. The attackers typically impersonate banks, credit card companies, email providers, social media networks or online retailers and warn of security issues such as potential fraudulent activity, imminent charges that will be applied or they threaten account closure.
Messages may even appear to have been sent by a contact, either using a stolen mobile or by spoofing someone who is known and trusted. Messages may include a link to an interesting article, a photograph or a social media post for example.
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo
Smishing attacks started with SMS messages, although similar scams are now being conducted on other messaging platforms such as WhatsApp, Skype and Facebook Messenger.
Blocking smishing attacks is difficult. The key to avoiding becoming a victim is awareness of the threat and adopting the same security best practices that can protect end users on email.
- As with email, when receiving an odd message, stop and think about the request. Could it be a scam?
- Even if the message suggests urgent action is required, take time to consider what is being asked. Smishing attacks work because people respond without thinking.
- It is important not to respond to a SMS message that has been sent from an unknown sender. If you respond, the person who sent the message will be aware that messages are being received.
- If a message containing a hyperlink is received, do not click on the link. Delete the message.
- Never send any sensitive information via text message. Legitimate companies will not ask you to send sensitive information by text message.
- If you are concerned about the contents of a text message, check with the institution concerned, but do not use links or telephone numbers sent in the message. Independently verify the phone number and call or find the correct website via the search engines.
- If you are a business that provides employees with access to a WiFi network, it is possible to prevent employees from visiting malicious websites linked in smishing campaigns. WebTitan Cloud for WiFi is a web filter for WiFi networks that prevents users from visiting malicious websites, such as those used in smishing attacks.