Smishing attacks have gained serious traction recently, having increased by 328% in 2020 alone. Scammers have been exploiting people’s fear triggered by the COVID-19 chaos.
Considering also how our phones have become an almost natural extension of our existence, smishing attacks have peaked in numbers in the last year and have never been more effective.
What is Smishing?
Smishing is a phishing method that is rapidly becoming a scammers’ favorite, especially in the COVID-19 pandemic context. However, it’s been around way earlier than most of us would think.
Smishing attacks take a more direct route to the end-user than an e-mail or social media, choosing a text message (an SMS) instead to deceive more easily an unsuspecting person.
Its name is a mix of two terms: SMS and phishing. Smishing attacks are socially engineered to take advantage of human trust in order to convince you to give away sensitive data, such as financial or personal information.
Scammers’ favorite smishing methods are the following two:
- Malicious websites. The link received via text message will direct the victim to a website asking for the desired personal data. Often, this illicit website is disguised as a legitimate and trustworthy one to make stealing data easier.
- Malicious software. By clicking the link contained in the text, the malware will download and install itself on the victim’s device, often pretending to be a reputable software program and ask for sensitive information.
The most common types of messages currently used in smishing attacks are:
- Urgent messages about your financial information, including credit card or bank account details
- Notifications about winning prizes or lotteries
- Fraudulent survey links
- Phony messages pretending to be from trusted brands
Smishers prey on everyday operations and requirements to sneakily disguise their attacks, such as bank notifications, payments, deliveries, and so on. Many of these fake text messages will direct victims to a fake login page, asking for payment or login information later on.
The purpose of smishing, as with any other kind of cyberattack, is financial gain. Attackers get a hold of users’ data to compromise them and/or the company they work for. All it takes is a moment of misplaced trust, a strong emotion such as fear, an uninformed action, or a combination of the three, and voila, you’ve been smished.
Smishing Attacks See Massive Increase in 2020
The unfortunate COVID-19 situation shifted our society to rely on remote communication almost overnight. Where most people see chaos, scammers see opportunity. Thus, smishers have spotted the huge potential of our new digital realities and are actively taking advantage of people’s emotions, especially the fear of the widespread infection and death rate caused by the coronavirus.
According to a recent report from Proofpoint, smishing attacks increased by 328% in Q3 2020 compared to Q2 the same year. Cybercriminals’ top choices when it comes to impersonated brands in Q3 2020 include financial institutions, tech companies, and content providers.
Proofpoint also found that 84% of organizations were targeted by smishing attacks. The FBI has reported that the trail of financial damages they left behind rises to more than $3.5 billion in 2019.
However, smishing attacks do not appear or increase only during times of crisis, such as the recent COVID-19 outbreak. Cybercrimes will always keep up with our ever-increasing dependence on smartphones and other devices.
Unsurprisingly, scammers have recently been exploiting the fuss around vaccines and engaged new vaccine-themed deceptive tactics.
How Can You Protect Yourself And Your Company Against Smishing Attacks?
You can never be completely safe from them, but here are a few helpful recommendations:
- Do not click on URL’s you get in a text message or any other form of communication, unless you know and trust the sender. Even if the text was sent to you by a friend, you should make sure they meant to send it;
- Do not respond to text messages from people you don’t know, from an unknown number or a phone number that doesn’t look like one;
- Only download apps from official app stores;
- Do not enter your sensitive information on the suspicious websites the attacker directs you to;
- Do not take the action required by companies via text message. Choose to contact them using a method you trust, such as a telephone call instead, to verify the text was legit and not a scam;
- Report any suspicious texts you receive and block the number without replying.
Fend Off Smishing (And Any Other Form Of Phishing) With ATTACK Simulator
Technology is a double-edged sword. With all the ways that it makes our lives easier, come all sorts of security risks. That being said, you can never be too cautious.
Precautions are all the more important if we’re talking companies. As with any other form of attack, smishing targets companies because that’s where the big money is.
Security Awareness Training for your staff is a key factor in keeping your company safe from scammers. Attack Simulator’s program will educate your employees on smishing and all the other online scams out there.