What's new

What is Smishing? The 101 guide

stantokki

Forum Veteran
Joined
Dec 16, 2016
Posts
2,058
Reaction
3,953
Points
949

What is Smishing? The 101 guide​


Smishing is a valuable tool in the scammer’s armoury. You’ve likely run into it, even if you didn’t know that is its name. It doesn’t arrive by email or social media direct message, instead choosing a route directly aimed at what may be your most personal device: the mobile phone. So, what is Smishing? We’re glad you asked.

Defining a Smish​

Smishing is a combination of the words “phishing” and “SMS”, to indicate phishing sent across your mobile network in the form of a text. It’s often thought of as You do not have permission to view the full content of this post. Log in or register now., but it’s been You do not have permission to view the full content of this post. Log in or register now.. The Pandemic combined with a rise in home deliveries has only increased its popularity still further.

What is a Smishing attack?​

It’s a fake message sent to mobile devices, using social engineering to encourage the recipient to click a link. The difference between Smishing and Vishing, is that Vishing is fraudulent voice messages as opposed to text and links.

Common Smish attempts focus on everyday needs or requirements. Late payments, missed deliveries, bank notifications, fines, and urgent notices are prime vehicles for a smishing attack.

COVID-19 has ensured that bogus vaccination messaging is also a common Smishing technique.

Most smishing text messages attempt to direct victims to fake login screens, with the possibility of asking for payment details further on. They may use URL shortening services in an attempt to conceal overtly fake login links. Potential victims may have never seen a Smish before, and so assume anything sent via SMS is legitimate. It may also be more difficult to view the full URL on a mobile browser, which is to the phisher’s advantage.

Smishing attack examples​

Offering fake discounts on bills is a You do not have permission to view the full content of this post. Log in or register now.. The drawback here is that these messages aren’t typically targeted. As a result, large numbers of people without the relevant accounts will simply disregard the message. This isn’t necessarily a problem for the smisher, however. These messages are sent in bulk, and the scammer expects a small number of responses from casting a wide net. The combined ill-gotten gains from the people who do fall for it, likely more than makes up for initial outlay.

Late / delayed parcels are a You do not have permission to view the full content of this post. Log in or register now.. If you wanted to define Smishing, this would be the current-day quintessential Smish attack. With so many people at home, and so many daily purchases made online, we’re awash with cardboard. It’s very difficult to keep track of everything coming into the house. Combining well-known delivery services with fake “delivery fee” notifications is a recipe for Smishing success.

1620888188684.png


In both examples, you can see the potential for success. Pinning these two attacks around what people can gain (or indeed, lose) gives them added credibility by playing on the hopes and fears of victims.

Can we stop these attacks?​

The reality of this situation is, nobody can stop Smishing 100%. However, we can certainly take some steps to significantly reduce it:

  • If it sounds too good (or too bad) to be true, it probably is. Having said that, many Smish messages sound totally innocent and aren’t trying too hard to bribe or threaten. What we’re trying to say here, is don’t assume any message from services or organisations are the real deal. If you’re being asked to do something, the very best thing you can do is contact them directly via a known method you trust. When it turns out to be a fake, you should be able to report it to them, there and then.
  • Those living somewhere with Do Not Call lists or spam reporting services, should make full use of them. Report, report, report those bogus messages and numbers. Your mobile device may already have some form of “safe” message ID enabled without you knowing. It’s tricky to give specific advice here because of the sheer difference of options available on models of phone, but the Options / Safety / Security / Privacy menus are a good place to start.
  • Never click the links, and don’t enter personal information on the websites the Smisher sends you. Avoid replying to the scam SMS too. Best case scenario, it’s not a real number and your message bounces. Worst case, you’ve confirmed you exist and they add you to spam lists and / or start harassing you further. Report, block, and move on.

Anti-Smishing efforts​

It’s not just phone owners doing their bit to tackle Smishing. Organisations have been taking steps to lock this threat down for some time now. Last year, the SMS SenderID Protection Registry gave companies the ability to register and protect message headers. We have Attorney Generals You do not have permission to view the full content of this post. Log in or register now., and the sheer saturation by You do not have permission to view the full content of this post. Log in or register now. has made the issue go mainstream in the UK. We can only hope Smishing’s sudden rise to fame during the pandemic leads to an equally speedy demise.

For the time being, keep a watchful eye on those text messages and treat them with the same suspicion you’d give to a random missive in your email inbox.


(C) You do not have permission to view the full content of this post. Log in or register now.
 

Attachments

Back
Top