Smishing is a phishing method that has gained popularity lately, especially in the COVID-19 pandemic context, but it’s been around way earlier, as opposed to what most people tend to assume.
Smishing targets victims by using a more direct route than an e-mail or social media, choosing a text message (an SMS) instead to deceive an unsuspecting person.
What is Smishing?
Its name mashes together two terms: SMS (the communication media the attackers use) and phishing.
It is a sneakier form of phishing, consisting of a cybersecurity attack carried out via a text message. Smishing is a socially engineered type of cyberattack that takes advantage of human trust in order to convince the recipient to give away sensitive data, such as financial or personal information.
The methods most frequently used by scammers are:
- Malicious websites. The link received via text message will direct the victim to a website asking for the desired personal data. Often, this illicit website is disguised as a legitimate and trustworthy one to make stealing data easier.
- Malicious software. By clicking the link contained in the text, the malware will download and install itself on the victim’s device, often pretending to be a reputable software program and ask for sensitive information.
Smishers prey on everyday operations and requirements to disguise their attacks, such as bank notifications, payments, deliveries, and so on.
Many of these fake text messages will direct victims to a fake login page, asking for payment or login information later on.
The purpose of smishing, as with any other kind of cyberattack, is financial gain. Attackers get a hold of users’ data to compromise them and/or the company they work for. All it takes is a moment of misplaced trust, an uninformed action, or a combination of both, and voila, you’ve been smished.
What Types of Smishing Attacks are there?
There are a growing number of smishing attack types. However, those explained below are the most common ones:
- Gift Smishing – scammers will attempt to deceive you with the promise of free products of services, often disguised as reputable and legitimate companies, prompting the victim to take action – give their personal data – within a limited amount of time.
- Fake discounts – similar to gift smishing, but suggesting to offer substantial discounts or vouchers. These messages aren’t usually targeted, so many of them go ignored by the recipients. However, this is not a significant inconvenience for the smisher, as they expect a small number of responses, having sent the fake messages in bulk.
- Delayed parcels – in the COVID-19 context, the premise of delayed parcels have become one of the primary vehicles of smishing attacks. The scammers pose as reputable delivery services providers, requesting you payment details for fake delivery fees.
- Customer Support Smishing– attackers may disguise as a trusted company, claiming to offer you help in resolving an issue, such as fixing an error with your account by giving you the necessary steps. Their purpose is to get your real account info and try to reset your password.
- Financial Services Smishing – the attacker will pose as a bank or other type of financial services provider, often asking you to check a suspicious activity from your account or requesting to unblock your account.
What precautions can you take against Smishing Attacks
Although nobody can completely stop smishing attacks, there are a few ways to protect yourself and your company against them:
- Do not click on URL’s you get in a text message or any other form of communication, unless you know and trust the sender. Even if the text was sent to you by a friend, you should make sure they meant to send it;
- Do not respond to text messages from people you don’t know, from an unknown number or a phone number that doesn’t look like one;
- Only download apps from official app stores;
- Do not enter your sensitive information on the suspicious websites the attacker directs you to;
- Do not take the action required by companies via text message. Choose to contact them using a method you trust, such as a telephone call instead, to verify the text was legit and not a scam;
- Report any suspicious texts you receive and block the number without replying.
Precautions are all the more important if we’re talking companies. As with any other form of attack, smishing targets companies because that’s where the jackpot is in terms of money.
Security Awareness Training is a key factor in keeping your company safe from scammers. Attack Simulator’s program will educate your employees on smishing and all the other scams out there.