Smishing is a type of phishing attack that’s conducted using text message services.
These types of scams can target people in their personal and professional lives. Attackers can imitate friends, strangers and organisations, but they can also appear as colleagues and service providers.
Indeed, with the rise in remote working and the reliance on mobile devices and instant messaging clients to stay in touch, work-based smishing has become a major threat.
According to Proofpoint’s 2022 State of the Phish Report, employees at 74% of organisations were sent fraudulent text messages in the previous year.
How smishing works
Smishing uses many of the same techniques as standard email phishing. Cyber criminals masquerade as a legitimate source, and attempt to trick the victim into handing over sensitive information or downloading malware.
The attack vector was popularised alongside the rise of the smartphone. It was another place where people can be contacted and directed towards a website, which could instruct them to hand over their login credentials or download a file.
As with all forms of phishing, smishing scams target:
- Login credentials for email accounts, social media, online banking or other high-value targets;
- Personal information that can be sold on the dark web or used to commit fraud;
- Financial data that can be used to make bogus payments.
Smishing takes its name from SMS (short message service), more commonly known as text message. Because the scammers are contacting you via a phone number, they avoid many of the pitfalls associated with standard phishing.
For instance, they don’t need to faithfully imitate an email address and the format of the message – nor do they need to replicate the writing style of the person or organisation they are pretending to be.
They can instead follow organisations’ practices of purchasing a default phone number – often only four or five digits – to send text messages in bulk. Moreover, the content of these messages, from both legitimate and bogus senders, is typically short and to the point.
This message will usually contain a link to a website – which is often the most hazardous part. To save space, organisations deploy URL shorteners, such as TinyURL, which replace the standard ‘www.[…].com’ domain with an abridged alternative.
It means that users don’t know exactly where the domain will take them when they follow the link. This is acceptable if you know that the message comes from a trusted source, but this isn’t necessarily the case with an unsolicited text message.
As such, scammers needn’t bother creating a URL that replicates their target, or use much-discussed techniques such as replacing a lowercase ‘l’ with the numeral ‘1’ in, for instance, ‘paypa1.com’.
They can instead hide the URL of their bogus site behind a shortened URL. Victims therefore won’t see the true destination until they follow the link and arrive on the site.
How to identify smishing attempts
Smishing attacks can come in countless ways. As with all forms of phishing – and social engineering techniques in general – scammers rely on pretexts to launch their attacks.
A pretext is the reason that they are contacting you. The scammer will try to gain your trust by claiming to be a figure of authority, such as the government or a well-known organisation.
Pretexts can come in various forms, but like all types of phishing attacks, there are a few things you can do to identify scams and avoid falling victim.
Here are a few tips to help you get started:
- Avoid using links or contact information in the message. The goal of smishing is to redirect you to a malicious website, so the best way to stay safe is to avoid any link contained within unsolicited messages. You should instead identify the sender and contact them manually – either by visiting their website or phoning them.
- Do not respond. Text messages often give users the option to unsubscribe to communications by responding ‘STOP’. Although you might think there is little risk with this, scammers often use responses to identify active phone numbers. It might even encourage them to pursue an attack, because they know you engage with messages.
- Take your time. Scammers often try to panic people by using emotive language such as ‘urgent’. They want you to act now before you have second thoughts or see through their scam. However, it won’t hurt to take a few moments to read over the message again or ask someone whether the message seems genuine.
- Download anti-malware software for your phone. Even if you don’t hand over sensitive information, scammers might plant malware on your phone that tracks information as its entered. This can give them access to your sensitive information, and it’s why you should install malware protection.
- Report anything suspicious. If you receive a suspicious message, you should report it to appropriate authorities. Many countries have national fraud prevention centres, and they will work with law enforcement to shut down scammers.
How to prevent smishing
The best way to combat smishing attacks, as is the case with all types of fraud, is understand how they work. The more you understand about these schemes, the more likely it is that you will be able to spot them and respond appropriately.
You can help educate your employees and bolster your organisation’s defences with our Phishing Staff Awareness Training Programme.
This 45-minute course was developed by experts and uses real-life examples that bring to life the threat of phishing and the techniques that cyber criminals use.
Thanks to our interactive learning and online assessment tools, you can be sure that staff engage with and understand what’s required of them to protect their sensitive information and avoid data breaches.