Smishing, Oh My!

You’ve probably have heard of “phishing” where cybercriminals fish for your personal information through email and social media.  But, have you heard of Smishing?  Smishing is the combination of “SMS” (Short Message Services, better known as texting) and “phishing.” When cybercriminals smish, they send fraudulent text messages that seek to trick the recipient into opening a malware-laden attachment or clicking on a malicious link.

Just as mobile device usage is skyrocketing, cybercrime aimed at mobile devices is growing as well. Because SMS itself works cross-platform between Android and iPhone, users of both operating systems are at risk for Smishing.

So, what are these smishers after?  In a nutshell, like most cybercriminals, they are out to steal your personal data, which they can then use to steal money—usually yours, but sometimes also your company’s. Cybercriminals use two methods to steal this data. They might trick you into downloading malware that installs itself on your phone. This malware might masquerade as a legitimate app, tricking you into typing in confidential information and sending this data to the cybercriminals. On the other hand, the link in the Smishing message might take you to a fake site where you’re asked to type sensitive personal information that the cybercriminals can use to steal your online ID. As more and more people use their personal smartphones for work (a trend called BYOD, or “bring your own device”), Smishing is becoming a business threat as well as a consumer threat. It should come as no surprise that Smishing has become the leading form of malicious text message.

Some of the most common Smishing scams are as follows:

1. COVID-19 Smishing Scams

Hackers try to use COVID-19 Smishing scams to take advantage of people affected by the coronavirus. They’ll typically pose as government or health care agencies to try and convince you to view newly released information or claim your financial aid.

2. Financial Services Smishing Scams

Example: “Attention: Credit Card Fraud Alert! We need you to sign into your Visa Account to verify purchase made with your credit card. Follow to link to sign in m6cyx.info/lwJ0mrGk “

Financial services Smishing scams leverage the fact that almost everyone uses banks and credit card companies to manage their finances. These Smishing messages pose as legitimate and trustworthy banking institutions to get you to compromise sensitive data like Social Security numbers, addresses, phone numbers, passwords, and emails.

3. Confirmation Smishing Scams

Confirmation Smishing scams use fake confirmation requests to get you to compromise sensitive information. This could be for an online order, an upcoming appointment, or a bill invoice for business owners. The message may contain a link directing you to a site that asks you to input login credentials or other sensitive data to verify your appointment or purchase.

4. Customer Support Smishing Scam

Example: “Colin, we’ve detected an issue verifying your contact information. Click the link to sign into your account and verify your information: ns9rtl.info/mIB13fg/

Customer support Smishing scams send Smishing texts posing as any company a person may trust — not just banks or credit card companies like financial services. They may pose as representatives from online businesses or retailers notifying you of an issue with your account. They’ll provide directions to solve the issue, which typically includes you going to a fake site infected with spyware to record any information you type in.

5. Gift Smishing Scams

These Smishing attacks advertise a fake contest giveaway you’ve won and try to get you to click on a malicious link to claim your prize. Once you continue to their site, malware could make its way onto your device and compromise your system and the information attached.

6. Disaster Relief

After some type of national disaster, like the flooding in Kentucky or wild fires in California, cybercriminals will send a Smishing scam to pull at your heart strings, asking you to give to help those who suffer. The link they send will take you to a site where you can input your credit card information. You donate and continue to donate until your card is maxed out or you end its usage, but the money doesn’t go to those who need it. It goes into the cybercriminals pocket.  If you want to give in times of need contact organizations like The American Red Cross or The Salvation Army.

Suspicious Phone Numbers

Smishing texts may come from phone numbers that don’t look normal at first glance. They may stray from the typical 10-digit layout (216-555-1234) and go with numbers like 2286 or 5555. If you see this type of number accompanied by a suspicious-looking message, don’t respond and delete the text immediately.

Protect Yourself

The good news is that the potential ramifications of these attacks are easy to protect against. In fact, you can keep yourself safe by doing nothing at all. The attack can only do damage if you take the bait. There are a few things to keep in mind that will help you protect yourself against these attacks.

• You should regard urgent security alerts and you-must-act-now coupon redemptions, offers or deals as warning signs of a hacking attempt.
• No financial institution or merchant will send you a text message asking you to update your account information or confirm your ATM card code. If you get a message that seems to be from your bank or a merchant you do business with, and it asks you to click on something in the message, it’s a fraud. Call your bank or merchant directly if you are in any doubt.
• Never click a reply link or phone number in a message you’re not sure about.
• Don’t store your credit card or banking information on your smartphone. If the information isn’t there, thieves can’t steal it even if they do slip malware onto your phone.
• Refuse to take the bait—simply don’t respond.
• Report all Smishing attacks to the FCC to try to protect others.

Remember that, like email phishing, Smishing is a crime of trickery—it depends on fooling the victim into cooperating by clicking a link or providing information. Indeed, the simplest protection against these attacks is to do nothing at all. So long as you don’t respond, a malicious text cannot do anything. Ignore it and it will go away.