Phishing but in SMS. How to recognize smishing attacks?

Have you just received a random SMS on winning the lottery? Does the text message say that your bank transfer is on hold? (Although you were not sending any money recently.)

You may have just become a target of a smishing attack.

What is smishing?

As the name suggests, smishing (also stylized as SMiShing) is a social engineering attack that sends fraudulent SMS to your mobile number.

Fraudulent text messages can also reach you on any data-based messaging app (Messenger, WhatsApp, Telegram, etc.).

This attack poses some potential risks since people generally trust the SMS content. If the message contains (at least vaguely) personalized information, trust rates are even higher.

How does smishing work?

Smishing is considered a social engineering attack because it exploits human trust and seeks to trick the victim into clicking a link or providing sensitive data.

The end goal usually includes:

• stealing data (financial data, passwords, etc.),
• stealing money,
• gaining access to sensitive information (bank accounts, business networks, etc.),
• infecting devices with malware.

The attackers can receive your phone number from past data breaches. If any platform that stored your number was leaked, there is a high chance the stolen data was sold on the dark web. From there, any hacker can purchase it.

In most cases, cyber criminals hide their phone numbers, so you do not have a chance to reply to them or notify others. They also use prepaid plans to send you SMS to protect themselves from being caught.

Examples of the messages

The messages are usually constructed to promote immediate, emotion-based responses. The plan is for the recipient to take action as soon as he sees the message. This can be achieved by choosing a relevant scenario and an urgent call to action.

Here are some frequent examples of smishing messages:

• You have just won the lottery. Provide bank information to receive the money.
• There were changes in your parcel delivery. Click here to reschedule delivery.
• Unusual activity was noticed in your account. Click here to review it.
• Are you sure you want to confirm the money transfer to XXX? Click here to confirm or deny.
• Your bank account was blocked. Click here to reactivate.

The provided link usually contains malware or virus that can infect the device or steal data.

How to recognize smishing?

Carefully read any messages that you receive. With some knowledge, it is easy to spot a malicious one.

Here’s what you should pay attention to:

• The message is urgent. If you need to act immediately, the text arouses curiosity, fear, urgency, or anxiety, and includes action words – it is most likely a smishing attack.
• Spelling and grammar mistakes. Legitimate companies have proofreaders before they send any message to their clients. If it contains grammar mistakes, ignore it.
• Suspicious link attached. If the message contains a link that is shortened or differs from the expected, that is a scam. Be skeptical when you see https://ama.zon.com.
• Asking for personal information. No bank or legitimate organization will ask to send your personal details via text message. If you are asked to provide login or bank information, do not reply.

What prevention methods should you take?

Since the beginning of the Covid-19 pandemic, the cases of smishing attacks have increased significantly. With smishing attacks rising in popularity, make sure to respond by protecting yourself.

Protect yourself from smishing by following these tactics:

• Never respond to the received smishing messages. There is no danger in receiving them; it is dangerous only when you take the bait.
• If the message makes you feel anxious, call the organization directly (f. e., the bank) and ask for clarification.
• Make sure your phone system is updated, your antivirus works smoothly.
• Never click on suspicious links, especially if you received them randomly.
• Never call the number that sent you the message. It is always advised to find the organization’s phone on their official website and use that one for contacting them.
• Notify your bank, workplace, or other institution about smishing attempts on their behalf.

Most importantly, be skeptical and suspicious. It is better to be sure than falling for a smishing trap.

Now you know how to recognize it and protect yourself!