What is Smishing?
One of the many types of phishing attacks is smashing, and it targets mobile devices. Rather than sending phishing messages via email, smishers use MMS or SMS text messages to send these messages to mobile devices. Using mobile devices has become more common for businesses due to bringing your device (BYOD) and remote work policies; smishing is an increasing threat to cybersecurity in enterprises.
How Do Smishing Attacks Work?
Phishing initially focused on emails as this used to be one of the most common methods to deliver phishing content to attempt to get personal or financial information or for identity theft. However, this is not the only way in which phishers can reach their targets.
Mobile devices have snowballed, and users of these devices have an “always-on” mentality that phishers leverage. Although a mobile device can access several communications channels (social media, text messages, email, etc.), text messages provide phishers with several benefits.
A text message can contain attachments or malicious links just like emails, enabling phishers to use the same methods as they do with phishing emails. However, text messages have several advantages over email, such as increased use by brands and limited length.
In SMS messages, link shortening services are commonly used, making it virtually impossible to see a link’s target. Mobile phones also don’t have the functionality to hover over a link to display its destination. These facts result in phishing over SMS being more effective and easier for an attacker.
Smishing Messages Examples
Just like phishing attacks using email, a smishing attack uses several pretexts to convince the recipient to click on a link in the message. Some common ones include:
● COVID-19: Phishing attacks commonly use current events as a pretext, and the COVID-19 pandemic has given cybercriminals countless opportunities. Smishing scams based on COVID-19 may request personal information to do “contact tracing” or provide false information about public safety updates and stimulus checks that take users to a phishing site to get them to enter sensitive data.
● Account Issues: Brands are starting to use text messages for customer service more frequently. Users have become accustomed to getting text messages regarding notifications or issues about their accounts. Smishers often send texts claiming that a problem exists and then give the recipient a fake link to steal their account credentials, personal details, or credit card details.
● MFA Codes: SMS has become a widespread method used for MFA (multi-factor authentication), and there are smishing attacks that have been designed to steal those codes. The phisher may tell a victim that they have to verify their identity by giving the attacker the MFA code texted to them. The attacker generates the code by logging in as the user and then obtains access to the account when the victim gives them the relevant code.
● Financial Services: Smishers also often pose as a financial institution and ask the victim to verify some account activity. If the target falls, the smisher attempts to steal account information, including login credentials, as part of the fake verification process.
● Order Confirmation: Smishing messages containing confirmation of fake orders as well as links to cancel or modify the order are also used. When the recipient follows the link, it takes them to a phishing site to steal their login credentials.
The list above contains some of the most common pretexts used in a smishing message to get sensitive information. As the use of mobile devices increases due to increasing BYOD policies and remote work, these attacks are becoming ever increasingly sophisticated and common.
Protecting Yourself from Smishing Attacks
As smishing attacks are simply phishing attacks done over different media, many of the same best practices apply. These include:
● Don’t Provide Data: Smishing attacks aim to steal private information from potential victims under the guise of verifying their identities or any other pretext. Don’t give anyone personal data if you haven’t called or texted them via numbers listed on their official website.
● Don’t Click Links: Text message links are tricky to verify due to not hovering over links to identify the target URL or link shortening. go to the target site directly rather than clicking on a potentially malicious link in the text message,
● Don’t Share MFA Codes: MFA codes for online accounts are often sent via text messages, and attackers often pretend they sent an MFA code to the user. Never give your MFA code to anybody.
● Only Install Apps from App Stores: a smishing scam may aim at tricking a recipient into installing a malicious app on their mobile device. Only install apps from reputable app stores, and first verify their authenticity on the website of the creator.