Social Engineering: What is Smishing?
SMiShing (short of SMS phishing) is an emerging security threat. It is a technique that uses mobile phone text messages (SMS) to trick victims into taking an immediate action.
People sometimes tend to be more inclined to trust a text message than an email. People are aware of the security risks involved with clicking on links in email, but this is less true when it comes to text messages.
Smishing is particularly attractive to attackers since it’s a low-cost attack. A VOIP server, a burner cell phone and a spoofing method are all that is required to send targeted text messages. With applications such as BurnerApp and SpoofCard, it is easy and cheap to purchase a spoofed number to text from.
What are the risks for smishing?
Smishing can lead to visiting a malicious website or calling a fraudulent phone number. For instance, the most common risk is downloading a Trojan horse (malware). Such a Trojan horse can turn the device into a zombie, allowing it to be controlled by hackers. Moreover, zombie devices are part of botnets, which are used to launch denial of service attacks, sending spam, …etc.
Real life scenario#1
Update information to avoid account suspension.
Real life scenario#2
Opt-out or face regulation charges.
You will be charged 25 Euro per week, under the new Electric supply regulation. If you want to opt-out, please visit www.smished.com (example link)
Your Electric supply company”
Real life scenario#3
Get free vouchers.
Aldi is offering a free £65 voucher on your next Aldi visit.
Please register on www.smished.com (example link) to reserve your voucher in advance”
A sample of an automated prompt that has been associated with such SMiShing attacks can be found here.
How to recognize Smishing?
SMS coming from a phone number that doesn’t look like a phone number, such as ‘0420’ – could be a sign that the text message is actually just an email sent to a phone.
Another method used is number spoofing. This makes the text message appear on an existing thread of genuine messages from the bank, store, …etc. In addition, Flash SMS which is mainly used to immediately catch the recipients’ attention (e.g. for emergency alerts, traffic alerts – or for receiving one-time pass-codes, …etc) are also being used by attackers.
The most common characteristic of smishing is the ‘false sense of urgency’, a scare tactic that attackers use to lure victims in taking action.
How to protect yourself from Smishing?
- Don’t click on links you get on your phone unless you know the person they are coming from. Even if you get a text message with a link from a friend, consider verifying it first with the sender before clicking on the link.
- Never install apps from text messages. Always use official app store for installing apps. For instance, they have vigorous testing procedures in place to filter out malwares and other known threats.
- Never give away any personal or financial information. If possible, block the suspicious number as well.
- Don’t feel pressured into responding back to a message or call. In addition, legitimate organizations give you the time to react. Only call valid numbers (e.g., you can find the bank’s number on the back of your card).
- In general, you don’t want to reply to text messages from people you don’t know. That’s the best way to remain safe.
You can also report Identity theft at: https://www.identitytheft.gov/
Almost all of the text messages you get are going to be fine. But it only takes one bad one to compromise your security!
– Mailfence Team