Smishing – The Next Cyber Threat

It seems like cyber attackers and scammers have been making headlines more and more lately as they’re finding different ways to kidnap your data and hold it hostage. It’s no surprise that another type of attack is rearing its ugly head more frequently. Smishing. Heard of it? Smishing is “the act of using mobile phone text messages (SMS) to lure victims into immediate action such as downloading mobile malware, visiting a malicious website or calling a fraudulent phone number.”1 Like phishing, hackers using smishing typically try to trick you into giving them your private information through texts, and the type of attack is becoming an emerging and growing threat in the world of online security.

 


What Does Smishing Look Like?

The most common examples of smishing occur when scammers send fraudulent text messages posing as a business that might have access to sensitive personal information, like financial information from a bank. Typically, the message tries to alarm you to an urgent matter and threaten dire circumstances if you don’t respond immediately. The text may direct you to a toll-free number or website that looks just like a legitimate institution’s number, but it’s not. Once you have called the number or clicked on the email link, they may ask you to verify your sensitive information. When you verify the information, you’re essentially handing them what they need to get what they want. Smishers will often ask for your credit card number account number and expiration date; Social Security Number; or your Bank Account Number and password.

 


Examples of Fraudulent Smishing Messages

Fraudulent text messages request that you perform an additional action, be it calling a number or clicking a link to enter or speak your personal information. Below are some common examples of smishing text messages. Take note of how each speaks of urgency and asks for you to do something else.

  • Please call XYZ Financial immediately at 1-888-5000 regarding a recent restriction placed on your account. (Be wary of any text from a shortened phone number such as “5000.”)
  • Congratulations! You have just won a $500 gift card! Click here to claim your prize!
  • Your Orange ID account has been locked due to unauthorized login attempts. Please log in here to verify your account.
  • From Horizon Bank: We have detected some unusual account activity and ask that you immediately follow this review link: http:/bit.do/123Bank.com

 


Why Scammers Like Smishing

Smishing scams have been around for almost ten years – since 2008, but experts say they are becoming more prevalent because people are getting more suspicious of phishing emails and they needed another outlet. Plus, technology is getting better at detecting fake email accounts and closing them out.

“The next easiest thing for [a scammer] to do is to go to mobile,” says Jason Hong, associate professor at Carnegie Mellon University’s Human-Computer Interaction Institute.2 Furthermore, texting is seen as an intimate, private way to communicate, so you likely feel like you are safe. Add that security to a message that begs for your immediate consideration, and there’s a good chance you’ll react to it.

“There’s an urgency to the message. There’s something that needs your attention right now,” Hong says.

Playing off your emotions, scammers often find success in their motives: identity theft, access to a bank account, or even blackmailing a person or company of secrets.

 


How Do I Protect My Business?

One of the best ways to educate users against smishing attacks is by conducting simulated attacks as part of your security training program. This provides the opportunity to train an individual how to respond to and prevent future threats. At the least, you should cite several different smishing examples in your training and how to respond to each of them.3

Make sure to use strong passwords – and different passwords – for everything from your bank’s website to your email account. Two-factor authentication and password managers like Dashlane and LastPass can also be useful.

Like most cyber attacks, there’s no one way to avoid getting smishing messages. However, if you stay aware of possible threats, you’ll be more likely to question messages that appear fake or suspicious. Keep in mind that most companies will never ask you to “confirm” or “verify” your sensitive personal information in an unsolicited SMS text message.

 


What Should I Do If I Think I’ve Received a Fraudulent Text?

If you receive a text message that asks for sensitive information:

  • Do not reply to the message
  • Do not click on any of the links that may be embedded in the message.
  • Contact the company that the text references to determine if they sent you a legitimate request.
  • File a complaint with the Federal Trade Commission and the Federal Communications Commission. These agencies enforce the laws regarding scam calls and text messages.
  • Report the number that has sent you the phishing SMS to your mobile phone carrier.

 

 

  1. https://www.social-engineer.org/framework/attack-vectors/smishing/
  2. http://fortune.com/2017/07/07/smishing-scam/
  3. https://www.wombatsecurity.com/security-education/simulated-smishing-and-usb-attacks