Smishing
“Hey, how are you?! It’s been too long!”
A recent text message I received ostensibly from an old friend. It came from a U.S. number and seemed plausible that it was someone whose number I lost throughout the years of getting new phones. But why didn’t they use my name? Or their own name? Or provide any more detail in their text?
Because threat actors use texts like these to start a conversation, all they hope to receive is a reply in order to start a relationship with their target and activate their scam. These types of messages are often random, however, they can also be targeted based on information discovered online. SMS phishing, or smishing, can take many forms but the unfortunate ending for too many victims is theft, fraud, or unauthorized access to personal or proprietary information.
So what is smishing exactly, where did the name come from, and how can I protect myself against it?
Smishing is when a threat actor sends a text message to an individual with the intent to trick the individual to gain access to information such as credit card numbers, bank account information, or to deploy malware. Sometimes, threat actors utilize company names, such as Netflix and Amazon, or other service providers such as the IRS or USPS. In other cases, threat actors utilize a more personal approach and can use publicly available information in a targeted attack against the victim in order to gain trust.
In a typical attack, the threat actor will let the victim know about a fake issue, such as an account that needs to be confirmed or a delivery that cannot be made without updated information and provide a link to address the issue. Once the victim clicks on the link, it takes the victim to a landing with a server controlled by the threat actor. Once the victim is on the server, it may request login credentials or deploy malware to the phone allowing the threat actor to access personal information on the device.
In April 2022, around 378,500,000 smishing texts were sent per day. Scammers have turned to smishing because unlike with email, individuals tend to trust text messages.
Here are some tips to protect yourself from these types of scams:
Slow down: Take a detailed look at the message, including for spelling or grammatical errors. Does the message make sense? Do you have an account with the service mentioned or are you actually expecting a delivery?
Do not open links: If you get a text from an unknown number that requests information from you or requests immediate action, DO NOT open any link or respond to the text message. You can also report the message as junk and delete it from your messages to avoid accidentally opening a link later.
Double check directly with the service: If the message seems to be from a service you do have an account with, contact the service directly with the customer service phone number on their website.
Need more help or wondering what your personal or corporate vulnerability is? Shoot us a message through the contact form!