Like phishing attacks via email are not enough, today we also have to worry about text messages on our phones. That’s what “smishing” is all about and that’s what we will be explaining today…
What is smishing?
You or someone you know may get a strange text from his/her bank only to find out that SMS has nothing to do with his/her bank? Or that message in which the government is asking for your social security number via SMS? How about a notification that you have just won a large sum of money?
These are all examples of smishing, which is a type of phishing attack that uses SMS (short message service). And so the name: SMS + phishing = smishing.
Like the “regular” email phishing – smishing hackers aim to trick their victims with the purpose of stealing their login information and later benefit financially from that data.
How does smishing work?
As that’s the case with any phishing attack, smishing relies on social engineering techniques to manipulate the victim to perform the task the attacker wants him/her to do.
To make that happen, the attacker first tries to gain trust from the victim by pretending to be a legitimate organization that is helping the victim solve some task — which will lead to the victim leaving his/her credentials to the attacker.
Smishing attacks often rely on specific situations, like a public data breach, targeting emotions of the victim and building in a sense of urgency to act. For instance, users are often invited to quickly change their passwords before their accounts get locked.
The link that is included in an SMS leads the user to the page where they should login to act. What’s more, these days even those pages look like they’ve been created by legitimate businesses, thus increasing chances of the attacker’s success. That “success” presumes the attacker receiving the private information that could include things like credentials for social media and email accounts, online banking, and so on.
How to detect a smishing scam?
There are a few things that could reveal whether an SMS is legit or a smishing attempt:
- Is your personal information, like your ID card number or online account passwords, requested in an SMS?
- Is the link included with the message?
- Where is the message coming from? Many of the organizations that get quoted in smishing texts seldom, if ever, use SMS to contact users.
- Does the message include offering for a service that is otherwise free for a “special price?” These would include things like coronavirus testing, vaccine bookings, financial aid, etc.
- If the message is about the special offer – is it too good to be true?
If any of the above is true, chances are it is a smishing attack. So you are best off reading the next section…
How can you prevent smishing?
Here’s what you should do if you are not sure if the message is legitimate or not:
- Contact the organization that supposedly sent the text. Check their website for the official phone number or email to contact them directly. If you can, make a phone call.
- Do not provide any personal or financial information via SMS or through the website linked in the message — even if it looks legit. You should also refrain from clicking on the URL, as that could also trigger malware installation — or at least tell the attacker that you saw the message. And don’t reply to the message as that too signals an active number that can (and will) be used for other scams.
Other options also include blocking junk calls with an app, which you may get from a phone carrier — or get one from your phone’s app store.
At the end of the day, you should use your brain to determine whether the text you got is real or not. As we’ve said it before, if something is too good to be true or too urgent – chances are you can skip it. Or make a phone call just to be sure. It’s actually easier than you think. Good luck. 😉