What is Smishing
People receive text notifications from friends, banks, stores, advertising companies, mobile carriers, government agencies, and many other organizations. So figuring out what’s real or fake can be an ordeal.
These days, hackers lure victims using SMS texts because they’ve are perceived as a safer communication channel. Unfortunately, that’s not always the case.
So, what is smishing, or SMS phishing, given this new digital threat that looms over every mobile device user?
Summary: Smishing is a combination of the words phishing and SMS. It’s a form of phishing or cyber attack using texting as a medium. But instead of the traditional phishing attacks using fraudulent emails, smishing involves receiving a malicious text message. Typically, it aims to trick users into clicking certain links, calling specific numbers, or sharing personal or financial data directly.
Although smishing attacks can be formulated in many ways, there are a few prevalent examples users should be aware of.
Attackers often impersonate tech support specialists and notifications for fake shipments, prizes, rewards, and discounts.
Some will use smishing to send targets false bank account balance notices or pose as customer service representatives from reputable businesses.
In recent years, many smishing attacks involve various Covid-19 warnings or contact tracing messages. These are highly effective against health-conscious individuals.
How Smishing Works
The basic principles of phishing apply to smishing attacks. Cybercriminals attempt to mask fraudulent domains using links and present themselves as trustworthy individuals or organizations.
A smishing attack often contains a small URL that redirects unsuspecting users to a fake site where they can input sensitive information, share login credentials, or download malware. Doing so enables threat actors to steal a wide range of user information.
In many smishing attacks, URL padding is used to obscure a link’s true destination. Due to the display differences between texting apps and other communication services, users might not be able to tell if they’re looking at a legitimate link.
URL padding enables attackers to hide the malicious domain using a hyphen and still display the legitimate part of a domain. This is only possible on mobile devices.
In addition, smishers may use various screen overlays on top of banking apps which can trick users into typing their login information. It’s somewhat similar to a technique used to insert malicious code into websites using iframes.
But what’s more dangerous in this case is that these overlays can sometimes even get around two-factor authentication protocols and grant remote access.
This would enable hackers to get even more than bank details or credit card details and gain access to sufficient personal information to engage in identity theft.
The Social Engineering Component
Like most phishing attacks, social engineering is a major component of every smishing attack. Even if a malicious link can be masked, there’s no guarantee that users will tap the link in a text message.
Therefore, attackers must resort to social engineering to gain the user’s trust. A common smishing attack addresses the user directly by sharing their name and even their location. This level of knowledge about the user can build trust and get the target to lower their guard.
Once convinced, the user could tap on a link and be redirected to a server or overlay controlled by the attacker and designed to steal information or compromise the device.
Vishing and Smishing Combinations
Another trick used by smishers is calling before texting. Social engineering allows smishers to learn personal details about their targets. Thus, an attacker can call their intended target first, present the scenario, gain the user’s trust, and then follow up with a text.
This increases the likelihood of the individual following through with tapping the fraudulent URL.
Although some telephone companies screen all calls as part of their social engineering attacks prevention policies, this isn’t very effective. Telephone companies can only warn users about incoming calls if the number is a previously known fraudulent number.
Furthermore, smishers that use advanced spoofing techniques can protect themselves against spam risk screening and pose as trustworthy callers.
Smishing Attacks After 2020
Smishing is a term that wasn’t used before 2006. Although it has been a constant problem over the years, the general public hasn’t been as aware of it as it should.
A Proofpoint report conducted in 2020 showed that 23% of mobile users over the age of 55 knew the concept of smishing. Millennials didn’t fare better, with just 34% having sufficient awareness of the smishing variation of a phishing attack.
Due to the general lack of awareness, smishing causes billions of dollars in losses worldwide. And to some degree, smishing can be more dangerous than regular malware attacks or virus attacks.
During the height of the pandemic, in 2020, the Internet Crime Complaint Center, IC3, received 1,400 complaints regarding malware attacks. In contrast, the cybercrime division logged 240,000 phishing victims, many of which were smishing targets.
The same Proofpoint report from 2020 showed that smishing and other SMS-based scams saw a 328% growth in Q3 2020.
This was largely due to the general health scare and the ease of tricking people into reading and responding to Covid-19-related texts without checking the authenticity of the supposed sender.
Smishing attacks using tax-related warnings and fake stimulus notifications also experienced a spike in 2020, along with health-related smishing attacks.
Another popular type of attack notified individuals of fake deliveries and prompted users to call a specific number or access a particular link to learn more about their supposed deliveries.
Generally, while most people should be aware of whether or not they are expecting deliveries, the surge of Amazon deliveries made more individuals easy targets.
These risk factors make smishing one of the most dangerous phishing attack methods against mobile users.
Users Can Help Combat Smishing
With most forms of cyber attacks, everyday users can’t do anything but protect themselves against them as best as they can.
But fighting smishing is much more like a crowdfunded effort. On one side, you have major mobile carriers. These organizations have started using sophisticated machine learning security software and actively share their databases of fraudulent phone numbers.
On another side, you have companies like Google, Apple, and others that run and manage various text messaging apps. They enable users to report suspicious numbers.
Mobile carriers do this too, and allow users to forward a suspicious message. The message is reviewed, and the unknown senders are logged into the spam number database of the mobile provider. Carriers then share their databases .
The number of fraudulent SMS reporting services in the U.S. is 7726, or SPAM.
Thus, users can be more directly involved in slowing the growth of smishing attacks.
General Smishing Protection Guidelines
Currently, mobile platforms lack anti-phishing technology. More specifically, they don’t implement it into SMS or texting applications.
That’s because classic endpoint defenses against email phishing aren’t designed for smishing attacks.
Individual and corporate mobile users must use specialized security software that can recognize smishing threat vectors and smishing-specific social engineering techniques.
But here’s what’s interesting about smishing. It only works if users take action and go to the indicated URL or call the suggested number in a fraudulent text message.
This differs from traditional phishing, where people can be tricked into accessing malicious websites outside their email inboxes, chat rooms, and social media messaging apps.
If users simply disregard most smishing messages that urge them to tap on a link or call a phone number, the smishing attempts will fail.
That said, should users disregard all incoming text messages and view them as potential hacking attempts?
Smishing often relies on instilling a sense of urgency in the user and presenting a must-act-now scenario. While even a reputable financial institution will send these types of messages, it will do it differently than smishers.
For example, most financial institutions and vendors will remind users to update their information or confirm their credentials. However, they wouldn’t necessarily ask users to do it by tapping a link that will redirect them to a website.
Many more organizations and institutions send SMS notifications with no way for the user to take direct action to distinguish their messages from smishing attempts.
Furthermore, users shouldn’t click on a link or reply to unknown numbers without checking their authenticity.
Another way to protect against smishing is to avoid storing sensitive information like banking or credit card information on mobile devices. This way, malware apps would have nothing of value to steal should it find its way onto the device.
Of course, having a reliable anti-malware security suite is always a good idea. But at the end of the day, smishing won’t work if the target isn’t fooled by the message.
As such, due diligence and awareness are the best defenses.
Text Message Phishing – A Real Threat to Your Personal or Financial Information
Text messages were considered safe for a very long time compared to chat rooms, emails, and social messaging apps. However, smartphones have enabled SMS apps to be more interactive, and users can take direct action and download apps or visit sites by simply tapping a tiny URL.
Because of this, smishing attacks surged in recent years as more hackers use text messages to gain people’s trust and get them to take actions they shouldn’t.
Being aware of how trustworthy organizations and institutions curate their notifications is more critical than ever to protect yourself against text message scams.
Frequently Asked Questions
What’s the difference between phishing and smishing?
Phishing is primarily used to describe the use of a fake website or phishing email to insert malware or steal data from a user’s device. Smishing is a similar practice that uses text messages to communicate with intended targets.
Can you stop smishing texts?
Yes and no. Users can prevent having the same phone number contacting them with more smishing attempts by reporting the message to 7726 in the U.S. However, this won’t stop other numbers from sending more texts.
Why are you getting spam texts?
People get spammed even via text, often as part of a larger smishing attack, because hackers can easily get their hands on people’s phone numbers and email addresses. They do it using social media platforms, company websites, or buying contact information from data collection companies.
Author: Tibor Moes
Founder & Chief Editor at SoftwareLab
Tibor is a Dutch engineer and entrepreneur. He has tested security software since 2014.
This website is hosted on a Digital Ocean server via Cloudways and is built with DIVI on WordPress.
Don't take chances online. Protect yourself today:
Protect your Devices
Protect your Privacy
Or directly visit the #1: