Social Engineering: What is Smishing?

smishing

Smishing is a social engineering attack using phishing techniques, but sent by text message instead of email. The name is a combination of SMS and phishing.

In this post, you’ll discover how to recognize smishing attacks and some advice to protect you against it.

What’s smishing?

Smishing (a portmanteau word made of the expressions SMS and phishing) is another social engineering ploy. It’s a phishing technique involving a malicious text message. In other words, it’s a cyber threat aiming to send you a virus or to make you do something harmful to yourself through a text message.

We tend to be more reactive with our phones. We will respond spontaneously to any message. Hackers know this. By using mobile phone text messages (SMS), they look to trick you into taking an immediate action.

Many smishing attacks combine an SMS and a ‘false sense of urgency’ to leverage this trend more effectively. The malicious SMS sent is conveying a sense of emergency to lure victims in taking action even quicker.

Attackers particularly like smishing since it’s a low cost attack. An internet phone system (VoIP) server, a burner cell phone and a spoofing method: that’s all you need to send a virus through targeted text messages. With applications such as BurnerApp and SpoofCard, it is easy and cheap to purchase a spoofed number to text from.

What are the risks for smishing?

Like many cyber threats, a smishing attack aims to steal your personal data, bank account details, passwords or access to websites. Sometimes it also seeks to trick you into doing something: transferring money, giving authorization, or access to someone, for example. This can be a mass attack (several people like you will receive the same SMS) or a very targeted attack prepared in advance comparable to spear phishing (you’ll be the only one to receive the text message).

Smishing can lead you to visit a malicious website aimed at stealing your credentials or personal data. Alternatively, you could be led to call a fraudulent phone number. From then, cybercriminals on the phone could also launch a Quid Pro Quo attack or a Pretexting attack against you to get some sensitive information. For this, they would impersonate a manager of your company, a police officer, a security guard to ask you to give them your credentials.

But the most common risk is downloading a virus through the text message sent, or any other kind of malware, such as a Trojan horse. This could turn your phone into a zombie, allowing hackers to control it. As a zombie device, it could become part of a botnet, and used to launch a Distributed Denial-of-Service (DDoS) attack, or to send some spam, …etc.

Examples of smishing

Scenario#1

In this example, a malicious text message to “Update information to avoid account suspension.”

Example of smishing
Source: http://numbercop.tumblr.com

scenario#2

In this second example, the SMS sent tells you to opt-out from something, or you’ll risk to have some kind of charges to pay.

“Dear user,
You will be charged 25 Euro per week, under the new Electric supply regulation. If you want to opt-out, please visit www.smished.com (example link)
Regards,
Your Electric supply company”

scenario#3

This third example is a kind of baiting attack : the malicious text message tells the target they can get free vouchers.

“Dear user,
Aldi is offering a free £65 voucher on your next Aldi visit.
Please register on www.smished.com (example link) to reserve your voucher in advance”

A sample of an automated prompt associated with such smishing attacks can be found here.

How to recognize Smishing?

Any SMS coming from a phone number that doesn’t look like a phone number, such as ‘0420’ – could be a sign that this text message is actually an email sent to a phone. This could also mean it’s a smishing attack, and that the text sent could contain a virus. In fact, some hackers will use an email-to-text service to send their text message virus or any other kind of malicious SMS to hide their actual phone numbers.

Another smishing method uses number spoofing. The hackers will purchase a spoof copy of an actual phone number to make their text message appear on an existing thread of genuine messages from the bank, store, …etc. In addition, attackers also use Flash SMS, to immediately catch the recipients’ attention (e.g. for emergency alerts, traffic alerts – or for receiving one-time pass-codes, …etc).

How to protect yourself from Smishing?

  • Don’t click on links you get through an SMS on your phone unless you know the person they are coming from. It could be a fake website made up to collect your personal data, banking account password or credentials without arousing your suspicion.
  • Be very careful with messages asking you to take immediate action. Don’t feel pressured into responding back ; in most of the cases, legitimate organizations give you the time to react. Make sure first that these messages come from a trusted source. If necessary, confirm their origin by calling the sender directly, after looking up for their phone number on their website. Also, you can generally find your bank’s number on the back of your card.
  • Even if you get a text message containing a link from a friend, consider verifying it first with the sender before clicking on the link.
  • Be cautious with unusual short phone numbers. They can be issued by email-to-text services, used by hackers to hide their actual phone number.
  • Never install any app by clicking on a text message. Always use official app store for installing apps.
  • Never give away any personal or financial information by SMS or phone call.
  • Don’t reply to text messages coming from people you don’t know.
  • Avoid recording any banking information or card number on your phone. Even if your phone falls prey to a virus set up through a smishing attack, the hackers won’t be able to steal them.
  • If you’re an organization, train your staff to follow our advice and to recognize all cyber threats and apply cybersecurity rules. They must refrain from sending confidential data via phone or email.
  • If you’ve been a victim of smishing or know that someone used your name for a smishing attack, you can also report identity theft at: https://www.identitytheft.gov/.

Conclusion

You should never spontaneously trust a text message seemingly coming from your bank, your employer, or even a friend including a link to download an app or to lead you to a website. Usually, official organizations are unlikely to contact you by text messages. It could be a smishing attack, a cyber threat initiated by an SMS containing a virus or a malware, or inviting you to do something harmful to you. Instead, take the time to check cautiously this message and refrain from installing any app or following any link.

Almost all of the text messages you get are going to be fine. But it only takes one bad one to compromise your security!

Mailfence has an Email security and privacy awareness course to teach you how to avoid giving access to the wrong individuals or having your personal data stolen or exposed without your consent. Learn now how to protect yourself against all cyber threats ! Education is the key to fight social engineering.

Get your secure email

And reclaim your privacy today!

– Mailfence Team

Share This Article
Avatar for M Salman Nadeem

M Salman Nadeem

Salman works as an Information security analyst for Mailfence. His areas of interests include cryptography, security architecture and design, access control and operations security. You can follow him on LinkedIn @mohammadsalmannadeem

You may also like...