Smishing may be a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, then convincing you to require action that provides the attacker exploitable information (like checking account login credentials, for example) or access to your mobile device.
Smishing may be a text-message-centric variation of the email-based phishing scams that are around since the 1990s. But people are often less watchful for suspicious messages on their phones than on their computers: they’re more likely to open a potentially suspicious text message than an email message, and their personal devices generally lack the sort of security available on corporate PCs. This pernicious new combat an old trick is becoming increasingly widespread.
Phishing vs. smishing vs. vishing: what is the difference?
Before we dive within the details, let’s take a flash to know the terminology of those related attack techniques. Phishing is that the granddaddy of all of them , and CSO features a complete explainer with all the small print , but in essence it involves sending targeted email messages to trick recipients. “Phish” is pronounced a bit like it’s spelled, which is to mention just like the word “fish” — the analogy is of an angler throwing a baited hook out there (the phishing email) and hoping you bite. The term arose within the mid-1990s among hackers getting to trick AOL users into abandoning their login information. The “ph” is a component of a practice of whimsical hacker spelling, and was probably influenced by the term “phreaking,” short for “phone phreaking,” an early sort of hacking that involved playing sound tones into telephone handsets to urge free phone calls.
Smishing is, essentially, phishing via text messages. The word may be a portmanteau of “phishing” and “SMS,” the latter being the protocol employed by most phone text messaging services. due to this etymology, you’ll sometime see the word written as “SMiShing,” though that’s increasingly rare; people also include scam attempts via non-SMS text services, like WeChat or Apple’s iMessage, under the smishing umbrella. The term has been around since a minimum of the late ’00s, though the omnipresence of smartphones within the era has made it a more tempting attack vector for hackers.
“Vishing” may be a similar sort of attack that uses voice calls rather than emails or texts; the word may be a portmanteau of “voice” and “phishing.”
Smishing attack examples
So far we’ve been talking in somewhat theoretical terms. But what are some specific samples of how smishing works in practice? In other words: What do you have to get on the lookout for?
We can break down smishing attacks into three broad categories.
Attempts to trick you into revealing credentials. Smishers may attempt to convince you into abandoning a username/password combo or other confidential info that they will use to log into one among your online accounts. and since banks are, within the legendary phrase attributed to robber Willie Sutton, “where the cash is,” bank smishing is one among the foremost lucrative and customary sorts of this category of attack.
The UK tech site Which? features a good breakdown of what a typical bank smishing attack seems like . one among the paradoxes of this type of attack is that the smishers play on your fears of hacking so as to hack your account. They’ll send you text messages claiming to be from your bank, “warning” you a few large transfer or a replacement payee added, and supplying you with variety to call or a link to click on to dam this potentially unauthorized access to your account. actually , of course, the transfer or new payee doesn’t exist; the link sends you to a spoofed website that appears like your bank’s and asks for your username and password, and therefore the telephone number connects you to the scam artists, who will attempt to wheedle an equivalent kind of information out of you. Once they’re armed with those credentials, they will log into your checking account and plunder it.
Bank smishing is usually successful for a few of reasons. One is that a lot of banks really do have services that text you about suspicious activity on your account. a crucial thing to stay in mind is that legitimate messages should contain information proving that the bank already knows who you are: they could include the previous couple of digits of your mastercard or checking account number, as an example . Vague references to “your account” with none details should be viewed with suspicion. They also will generally not include an immediate link to a bank website. Orange County’s depository financial institution features a good guide to what you ought to see during a legitimate text message from a bank. If you are not sure a few message like this, you ought to log in to your account via your browser or app without following any link sent to you during a text message.
Another factor which will lull a victim into complacency: many smishers use SMS spoofing techniques that disguise the telephone number or short code that a text message appears to return from. It’s relatively easy to send a text message that appears to return from another number, and actually there are many legitimate reasons to try to to so — if you have ever used iMessage or an identical tool to send a text from your laptop, you’ve engaged in SMS spoofing yourself. But if an attacker uses SMS spoofing to form their smishing texts appear that they are coming from your bank, your phone will automatically group them with any real texts you’ve already received from that institution, making them seem more legitimate.
Attempts to trick you into downloading malware. this type of attack parallels one among the first end games for email phishing, though the techniques are adapted for mobile users and mobile technology. as an example , a smishing scam that ran wild within the Czech Republic convinced users to download an app purporting to be from that nation’s postal service; actually , it had been a Trojan that would harvest mastercard info entered into other apps on the phone.
In general, these sorts of attacks are rarer when conducted via text than they’re over email because smartphones make it harder to put in apps, with iPhones and lots of Android phones only allowing signed and verified apps from app stores to work . But it’s still possible to sideload apps, especially on Android, so you ought to be extremely suspicious of anyone who tries to urge you to put in an app via text message.
Attempts to trick you into sending someone money. This version of smishing is more the domain of the confidence man than the tech wizard, but it’s still something that’s a true concern—particularly when it involves less tech-savvy people that don’t use email much and haven’t become resistant to the emailed pleas of Nigerian princes trying to urge access to money stashed in overseas bank accounts. Smishers will do some work to work out ways to urge you to trust them; in one attack, a lady in Tennessee received texts she thought were from personal friends (the names had probably been harvested from Facebook) telling her a few government grant she qualified for. actually , this was a classic “advance fee” scam: the victim was told she had to pay a couple of hundred dollars up front for “taxes” to urge the cash .
While those scams play on the victim’s desperation or greed, some take the other approach, exploiting their generosity. One set of scammers sent texts to victims in Louisiana, pretending to be a priest at an area church, collecting money for charity; actually , they simply pocketed the cash.
Effects of smishing:
These examples should offer you a way of the consequences of smishing: Attackers can plunder your checking account , install malware on your phone that gains access to your finances or your location information, or trick you into pocket money needlessly. during a larger sense, these smishing attacks make it harder for financial institutions or others to possess trusted communications with customers via text messaging, which is one among the foremost universal communications platforms in use today.
There’s one stat that does not pertain to smishing specifically, but does explain why attackers are putting such a lot work into developing these scams: 98% of text messages are read and 45% are skilled , while the equivalent numbers for email are 20% and 6%, respectively. As users grow more overwhelmed by constant emails and suspicious of spam, text messages became a more attractive attack vector, exploiting the more intimate relationships we’ve with our phones.
While smishing isn’t everywhere yet, it’s definitely quite a novelty at this point: consistent with Verizon’s 2020 mobile security index, 15% of enterprise users encountered a smishing link in Q3 2019. Proofpoint’s 2020 State of the Phish report indicates that 84% of surveyed organizations faced smishing attacks. And 30% of Proofpoint’s respondents were conscious of the term “smishing” — which can not sound like much, but is up from 25% just the previous year.
How to prevent smishing
There’s another stat from Proofpoint’s report that we would like to debate , and it gets to the guts of how enterprises can help foil smishing attacks: only 25% of surveyed organizations (and only 17% within the United States) run smishing or vishing simulations to assist train staff to acknowledge and react appropriately to those attacks. At the organizations that do run these simulations, the failure rate is 6% — not disastrous, but not great, either.
These sorts of simulations are one among the simplest ways for enterprises to coach their employees on the way to avoid being smished. they ought to form a part of your ongoing security awareness training regimen, along side phishing and vishing simulations. Simulated smishing attacks can assist you target your training efforts, making it clear whether additional training is required and which users are particularly vulnerable.
But if your employer doesn’t run simulations or hold training programs, you’ll still educate yourself to resist smishing attacks. Zipwhip has some common-sense advice:
- Be wary of texts using unnatural or ungrammatical language
- Offers that appear too good to be true usually are
- Don’t click embedded links or download apps directly from a text message
- The IRS and Social Security Administration don’t communicate via text
CSO also has advice on avoiding phishing scams, most of which applies to smishing also .
Smishing and therefore the FTC
The us Federal Trade Commission has resources to assist fight smishing. The FTC features a page with advice for avoiding these scams. If you think that you have been victimized by such a scam, you’ll use the agency’s complaint assistant site to file a complaint and help catch the perpetrators. But hopefully the recommendation on this page will assist you stay one step before the smishers.