Smishing Attacks on the Rise: How to Stay Protected

Smishing definition: what is a smishing attack?

Smishing is a common type of phishing attack that uses SMS text messages to trick people into giving away sensitive information or private data. In order to give a full smishing definition we must also briefly explain what a phishing attack is. Phishing attacks are a form of social engineering, in which bad actors use psychological manipulation to trick people into willingly sharing information they would normally keep private. The term “smishing” comes from blending the two terms “phishing” and “SMS”.

A smishing message is usually disguised as coming from a trustworthy source, such as a bank or a well-known company. A common trait that defines smishing is how scammers rely on the authority that a brand or organization has, and use it to manipulate the recipient to do what they want. For example, when someone receives a message from their bank, the natural initial reaction is to comply.

Scammers use this authority to their advantage to gain access to sensitive information such as login credentials, financial information, or personal details.

How do smishing attacks work?

Smishing uses the three main social engineering principles to manipulate a recipient's behavior, and ultimately, their decision-making.

Trust: Posing as legitimate organizations, scammers lull their victim's into a false sense of security. With their defenses lowered, a recipient is less likely to ask questions and much more likely to click a link or follow instructions within an SMS text.

Context: Relevancy is a key element of disguise for smishing scammers. Using a situation that is familiar or relevant to a victim's personal experience allows an attacker to override suspicion.

Emotion: Playing on a person's emotion is a huge part of smishing attacks. They often inject a sense of fear and urgency in order to override a person's critical thinking and in doing so hurry them into taking immediate action. The faster they do, the less time they have to notice anything that might be “off”.

Using these manipulation tactics, attackers send smishing messages that require the recipient to take action such as:

“Call this number”

Some smishing examples will provide a phone number that may be very close to the legitimate company's real customer service number. This number, however, will be controlled by the scammer who will pose as a customer service agent. They may ask for sensitive information under the pretense of verifying the customer's identity.

“Click the link”

Other smishing attacks will ask the recipient to click a link, usually a shortened URL. This may take the recipient to a fraudulent site that may closely resemble the legitimate but impersonated site. The recipient may then be prompted to divulge their personal details such as username, password, date of birth, or bank account details.

In other smishing examples with links, the link may not direct the recipient anywhere, but instead, download malware to their device. This malware could expose their personal data to scammers without the recipient's knowledge.

Real-world smishing examples

Smishing examples can take many different forms, but here are some of the most common smishing scams to hit in recent years.

Banking

In the summer of 2020, Bank of Ireland customers were targeted by a smishing attack. The text informed them that their bank card had been blocked and that to rectify the situation they had to follow the link in the message.

Those who did were taken to a spoofed site and asked to enter their bank card numbers and their four-digit card PIN. With that information, the scammers had everything they needed to gain access to their bank accounts and steal their money.

Delivery companies

Another common smishing example is a text from a delivery company such as the United States Postal Service, FedEx, or UPS. In these cases, the recipient may be told there is a problem with their order or delivery. If the recipient is waiting for a package, the chances of them clicking on a scam link are quite high.

Free gift smishing

Then there are the “nicer” smishing texts, such as those that targeted T-Mobile customers. They were informed that they were the lucky winner of a free gift. Instead of invoking the fear of something bad happening, these scams play on the fear of missing out on something cool, fun, or free.

Crisis smishing

Of course, bad actors don't always mimic well-known brands or companies in smishing attacks. There are plenty of smishing examples where scammers impersonate friends or family members that need help of some sort.

In the UK, scammers used the cost of living crisis as a backdrop to send similar “friends and family” smishing attacks. One 71-year old sent £1,700 to the smishing criminal after responding to an emotional text message seemingly from his daughter asking for help to pay their bills.

Smishing linked to major events

As well as using the context of crisis situations, smishing scammers use other large social events to frame their attacks. Cybersecurity firm Proofpoint reported an 860% increase in smishing scams across North America during the Super Bowl's 2-week playoff period.

Image source: Proofpoint, Twitter

What are the consequences of falling for a smishing attack?

Falling for a smishing attack can result in a number of serious consequences, including:

Financial loss: Providing sensitive financial information, such as bank account numbers or credit card numbers, can allow bad actors to empty out your bank accounts or steal large sums of money from your accounts.

Identity theft: If you happen to share your Social Security numbers, date of birth, or address during a smishing attack, scammers can use this information to perform all sorts of identity theft. They can open new credit card accounts, apply for loans or benefits, or commit other crimes in your name.

Loss of privacy: Smishing attacks can often expose login credentials, personal details, emails, and text messages. Bad actors could invade your privacy, and expose sensitive information to others which could lead to reputational damage (see below).

Damage to your device: Smishing attacks that involve downloading malware onto your device can compromise its security and allow the attacker to gain access to sensitive information or use turn it to attack others.

Reputational damage: If sensitive information ends up being exposed from a smishing attack, details could damage your reputation, professionally or personally, and negatively impact your relationships with others.

Who is most at risk of smishing attacks?

All of the smishing examples we've looked at so far are pretty indiscriminate. As per the definition of smishing, basically, anyone who uses a mobile phone can be a victim, no matter their age, race, gender, or location. That said, there are a few groups of people who may be more likely to respond to smishing messages and therefore more at risk.

Some common smishing targets include:

Elderly: Older adults who may not be quite so tech-savvy may be more likely to fall for smishing attacks. They also tend to be more trusting of authority figures and organizations and therefore, less likely to question a smishing text.

Financially vulnerable individuals: Smishing attacks that appear to be from financial institutions may be more likely to succeed when targeted at individuals who are struggling with debt or have limited financial resources.

Busy professionals: Busy professionals who are always on the go may accidentally respond to unsolicited text messages as they may not pay attention to the sender's identity or react quickly.

How can you protect against smishing attacks?

Unfortunately, there's nothing that you can do to stop receiving smishing messages. If a bad actor has your mobile number, that's all they need to send a smishing text. But there are certain things you can do to reduce the risk of falling for a scam and protect yourself from any smishing consequences.

Be vigilant: Be wary of any unsolicited text messages. If you receive an SMS from an unknown number or from a sender you're not expecting to hear from, be extra cautious, especially if there are any links included.

Verify the sender's identity: If you receive a message that appears to be from a financial institution or another trusted source, don't reply to the message or call the phone number provided. Instead, look up the official contact information for the organization and call them directly to verify the legitimacy of the message.

Don't share personal or financial information: Be particularly wary of any text message that asks you to share passwords, Social Security numbers, or bank account numbers. This information should only ever be provided directly to trusted sources and never in response to an unsolicited message.

Don't click on links: Smishing text messages often include malicious links that, when clicked, will either download malware onto your device or redirect you to a fake website. The fake website could be a trap to get your private details or another malware loading point.

Keep device software up to date: Regularly updating your device's operating system and security software can help protect against smishing attacks and other types of cyber threats.

What to do if you've become a victim of smishing?

If you're reading this article a little too late and you suspect that you may have already fallen for a smishing attack, then you should take immediate steps to secure your accounts and personal information.

• Change your PINs and passwords: Make sure you use good password hygiene (at least 12 characters, a mix of lower and upper case, numbers, and symbols).
• Report the incident to the appropriate authorities: If the smishing text impersonated a particular company, you can also report the incident to them too so that they can inform other customers.
• Freeze your credit: This will stop any bad actors from being able to open up accounts or apply for loans in your name. You can unfreeze and refreeze anytime you want.
• Keep an eye on your accounts: You can alert your banks or any institutions you use that you have been a victim of smishing. They may be able to put extra monitoring on your account or additional security measures that will flag up any unusual activity.

Summing up smishing

Most of us are never far from our phones, with some of us spending hours on our devices every single day. Our increased reliance gives scammers a huge window of opportunity. Smishing is also a very simple attack vector that doesn't require a lot of technical skill or cash injection. This means that scammers don't need to be criminal masterminds to cause significant damage.

Knowing the definition of smishing— what it is, and how it works, plus following best practices for protecting yourself, you can reduce your risk of falling victim to smishing and enjoy a safer online experience.

Want to continue your education? Read more: Account Takeover Attacks: Detection and Prevention