The private testing has started!

Blog What is smishing and how to prevent it

Please, mind this article is being drafted or rewritten and may contain imperfections. It has not been yet reviewed for final publication.

This article will cover how scammers target users via SMS messages phishing (smishing) and how best to guard against it.

Most people who use email regularly have heard of phishing and probably even know how to protect themselves from phishing attacks.

However, many people don't know phishing doesn't have to come from email alone.

Although email is the most popular target for phishing attacks, in addition to email phishing, phishing can also be carried out by means such as:

What is smishing

SMS phishing or smishing is similar to email phishing, except that attackers use mobile phone text messages to deliver "bait."

How do scammers use smishing to attack?

Smishing attacks typically invite users to click a link, dial a phone number, or contact an email address provided by the attacker via text message. The victim is then asked to provide their private data (usually, credentials for other websites or services) . Also, the URL may not be fully displayed due to the nature of mobile browsers. This can make it more difficult to identify illegal login pages. Since the mobile phone market is now flooded with smartphones with fast internet connections, a malicious link sent via SMS could have the same results as sending via email. Text messages can come from phone numbers in strange or unexpected formats.

Phishing text messages are the logical evolution of the deception phenomenon. SMS or text phishing, commonly known as smishing, targets victims via text messages rather than traditional email.

We use our mobile devices frequently, scrolling blindly through social media, checking email, chatting on Viber or WhatsApp, and texting frequently. This is what fraudsters are looking for. If you get 50+ text messages a day, you can't read each one so carefully. The COVID-19 pandemic has caused many employees to work from home, further isolating them from IT departments, company networks and organizational security protocols. This opens up new opportunities for phishing scams.

According to software company Proofpoint, smishing has grown by 700% in the first quarter of 2021 alone.

One of the biggest dangers of smishing is that few people are familiar with it. 2020 survey from Proofpoint, only 52% of US employees could accurately describe phishing. One explanation for the increase in phishing attacks is that this type of attack is not as well known as email phishing. While computer users may know about email phishing, they may be less aware of other phishing types, including SMS.

Another reason for the increase is that it can be more difficult to authenticate senders and loaded websites in mobile web browsers. Covic-19 scams and crypto-related phishing are also on the rise.

Most common smishing attacks

Most people don't know how to stop phishing text messages. The tactics employed by smishing are primarily similar to those used by email phishing.

Often, potential victims need to urgently update their login information, claim a reward, or perform other actions on their bank or credit card account.

While scammers can use any text message for this, you should pay particular attention to 4 main types of smishing:

1) Notification that you have won an award and need to claim it

Who doesn't love to hear they've won something? That's why we "respond quickly" to things like this with all our sensitive information.

Similar text messages often have malicious links that ask you to click to "claim" your prize. Before you rush to claim your prize, stop and think and don't click on any links.

2) A text message claiming to be from your bank

Another common type of scam is a message purportedly from your bank. These messages usually tell you something like "Your account is locked" and ask you to click a link that requires a password to log in. If you do this, scammers can steal your personal information.

In practice, banks rarely text you. Usually, banks will just send you a verification code, but they will never include a link.

3) False shipping information

More and more brands are using SMS to provide important updates to their customers, including letting them know, for example, that their package has arrived. So, scammers are also trying to defraud with this kind of information.

A new type of Flubot malware has become active. Links in messages take people to what looks like an Australian official brand website. Probably Telstra. But in Europe, it's the package delivery company. The page tells users to install software on their phones to listen to messages. Phishing sites install malware if the user agrees.

4) Fake surveys

Fake surveys are the least common type of smishing. Real surveys are also often unsolicited, so people rarely respond to these, let alone fake ones. But people can also mistakenly respond to such counterfeit surveys when bored.

How to prevent smishing?

What should I do when I receive a smishing message? While smishing is a social engineering attack vector, IT cannot easily stop it with security programs. However, you can still block its attacks.

Tips for companies

  • Do not click on links in SMS messages from which you are not 100% sure they came. These links will likely contain malware that can then spread on your device.

If a user receives a smishing text at work, the first and most important step is not responding to the content or prompts. Do not click on any link contained in the email. These may contain malware or take users to websites that ask for more private details. Do not reply to the sender in any way.

  • Users should report the smishing attack immediately to their IT department. This is especially important if the device they are using is a business phone. Any organization's BYOD policy should include specific cyber threats and attack guidelines. (In addition, if you receive a fraudulent text message in the United States, you can report it to the FCC.)

  • All employees in an organization should receive cybersecurity training. Organizations can conduct anything from surveys to on-site training sessions to ensure employees are up-to-date on phishing and other security threats.

  • IT departments can even conduct an internal phishing campaign, an internal social engineering attack, to see who is caught in a phishing attack. This lets IT know how many people face phishing attempts from outside sources. IT can then put any failing employees through additional training to emphasize the importance of phishing safety.

  • Instead of emailing large files to other team members, IT should train employees on how to use a company-approved file hosting service, such as Dropbox or Google Drive. This will reduce the chances of external actors accessing these important internal documents.

  • Organizations should make corporate databases and networks accessible to as few individuals within the organization as possible. This can help limit or eliminate the number of ransomware attacks caused by smishing or other means.

For individuals

  • Watch out for messages from unknown phone numbers like "5000". These numbers are used for email-to-text services and are often used by criminals.

  • Your bank or credit bureau will never message you to update your account information. If you receive this kind of message, contact your financial institution and warn them about the scam

  • Do not rush into action if you receive an "urgent" message or security alert.

  • Do not "claim a reward" for a prize you have never entered. You can't win if you don't play.

Relevant informations:

  • Encrypted messaging apps like WhatsApp and Signal aren't immune. According to the EFF (Electronic Frontier Foundation), Dark Caracal is part of a traditional APT player that is moving towards mobile as the primary target platform, e.g., Android. Trojanized apps, including Signal and WhatsApp, functioned just like legitimate apps, sending and receiving messages as normal. The fake app also allows attackers to take pictures, retrieve location information, and capture audio.

  • How to protect your Android phone or tablet? Read 15 ways to make it more private and secure.

  • Learn more about pharming.

Ready to join Liverado? Start your free 14-day trial today.