The term smishing, also known as “SMS phishing”, originates from two words: “SMS” (short message services) and “phishing”. The brief smishing definition is, “smishing is a type of phishing that operates using social engineering and is carried out via fake text messages.”.
Generally, cybercriminals use fake text messages containing malicious links in smishing scams, which may lead to a fake website or download malware upon clicking them. As the victims click a bogus link, they reach a fake URL where they are compelled to reveal their personal information.
The phishers send a text message to their target revealing themselves as an agent of trustworthy sources such as banks, utility companies, or government agencies to obtain the victim’s sensitive data like credit card numbers, passwords, and social media numbers.
Smishing scams with social engineering may be a powerful attack because cybercriminals add the name and address of their target in the text message, making themselves a trustworthy source, and scammers use text messages on mobile phones to exploit the sense of urgency, fear, or sympathy to get valuable information. Furthermore, the majority of people are aware of the risk of clicking a fake link in email phishing, but fewer people are aware of the danger of clicking a link in fake text messages. That makes the smishing scams an easier practice to grab a potential target.
Smishing vs Vishing
What is smishing?
Smishing(SMS phishing) is a phishing attack in which scammers use fake text messages, having malicious links that may lead the target toward fake URLs or downloading harmful software to access sensitive information.
What is Vishing?
Vishing(Voice Phishing) is also a type of phishing attack that involves phone calls or voice messages to grab potential victims to gain their private data, such as credit card numbers, bank accounts, and login passwords.
How smishing scams work
Target Selection: Cybercriminals select their potential targets, often randomly or based on the target’s valuable data.
Message crafting: The attackers design a fake text message creating a sense of urgency, fear, or sympathy to get a quick response.
Message Transfer: The scammers deliver fake messages to their specific target via SMS (short message services) using spoofing tools to ensure the victim’s original identity.
Action Request: The target is requested to click the link in the text message or to call the provided number. That instant action may lead the target to the fake website developed to steal the sensitive data.
Data Collection: When the target clicks the phishing link and interacts with the phisher once, the phisher can access private information, such as banking or other login details.
Examples of Smishing Scams
It’s important to get knowledge about examples of smishing attacks, as it may be helpful to identify and avoid these types of scams. We discuss the most common examples of smishing scams below.
Pretending to be the trusted organizations
The attackers send text messages to victims pretending to be agents of trustworthy organizations such as police stations, the IRS (Internal Revenue Service), or other official government agencies. Fake text messages create a sense of fear for victims, like being arrested or suffering any financial loss, until they (the victims) don’t call on the provided phone number or click on the malicious link. As the victims call or click the link, they get scammed into sharing sensitive information.
The following image explains this example of a smishing attack:
Source: Proofpoint
| Note: Police departments and government agencies never ask for private information via text or phone. |
Pretending to the Shipping Company
The scammers deliver fake text messages to their target as a member of any shipping company, such as FedEx, UPS, or the US Postal Service. Scammers inform their target that there is an issue with delivering their (victim’s) package, and victims are asked to open the provided links to pay the delivery fee or log in to their account to solve the problem. When the victims click on the malicious link, they are directed toward the fake URLs and get scammed into sending money or login details.
An example of a smishing scam is provided below:
Source: Proofpoint
Pretending to be the Brand Name
The phishers send the smishing messages to their selected target using a brand name like Amazon. The victims are asked to open the provided link, luring them into a prize or reward. As victims open the link by clicking it, they reach fake URLs or malware downloads as in the following example.
Source: Proofpoint
How to Prevent the Smishing Scams
- Never click the malicious link and delete the suspicious links from your device.
- Don’t respond to the unknown numbers asking for quick action.
- Always verify unexpected messages by contacting the organization via their official numbers or emails.
- Report the suspicious number to relevant agencies such as the (FTC) Federal Trade Commission.
- Use 2FA (two-factor authentication) for your accounts, and set strong login passwords.
- Install the antivirus and malware protection software on your devices.
| Note: Security awareness training may prove a potential way to avoid smishing scams. |
Read More
What is smishing and phishing?