Smishing is a form of phishing in which an attacker uses a compelling text message to trick targeted recipients into clicking a link and sending the attacker private information or downloading malicious programs to a smartphone.
Most of the 3.5 billion smartphones in the world can receive text messages from any number in the world. Many users are already aware of the dangers of clicking a link in email messages. Fewer people are aware of the dangers of clicking links in text messages.
Users are much more trusting of text messages, so smishing is often lucrative to attackers phishing for credentials, banking information and private data.
How Smishing Works
Most smishing attacks work like email phishing. The attacker sends a message enticing the user to click a link or asks for a reply that contains the targeted user’s private data. The information an attacker wants can be anything, including:
- Online account credentials
- Private information that could be used in identity theft
- Financial data that can be used to sell on darknet markets or for online fraud
Smishers use a variety of ways to trick users into sending private information. They may use basic information about the target (such as name and address) from public online tools to fool the target into thinking the message is coming from a trusted source.
The smisher may use your name and location to address you directly. These details make the message more compelling. The message then displays a link pointing to an attacker-controlled server. The link may lead to a credential phishing site or malware designed to compromise the phone itself. The malware can then be used to snoop the user’s smartphone data or send sensitive data silently to an attacker-controlled server.
Social engineering is used in combination with smishing. The attacker might call the user asking for private information before sending a text message. The private information can then be used in the smisher’s text message attack. Several telecoms have tried to fight social engineering calls by displaying “Spam Risk” on a smartphone when a known scam number calls the user.
Malware is often stopped by basic Android and iOS security features. But even with robust security controls on mobile operating systems, no security controls can combat users who willingly send their data to an unknown number.
An Example of a Smishing Attack
Many attackers use automation to send several users their text messages using an email address to avoid detection. The phone number listed in caller ID is usually a number that points to an online VoIP service such as Google Voice, where you can’t look up the number’s location.
The following image displays a sample smishing attack. Here, the attacker poses as the IRS and threatens the recipient with arrest and financial ruin unless they call the number in the text. If the recipient calls, they get scammed into sending money.
A more common smishing attack uses brand names with links purported to be to the brand’s site. Usually, an attacker will tell the user that they’ve won money or provide a malicious link purported to be for tracking packages, as in the following example.
The language in the above message should be a warning sign for users familiar with the way smishing works. But many users trust SMS messages and aren’t thrown off by informal language.
Another warning sign is the URL: it does not point to an official FedEx URL. But not all users are familiar with official brand URLs and may ignore it.
Attackers use this type of message because someone is always waiting on a FedEx package. If the message is sent to thousands of recipients, it can trick many of them.
The link typically points to a site hosting malware or prompts the user to log in to their account. The authentication page is not on the official FedEx site, but it’s more difficult to see the full URL on a smartphone browser, and many users won’t bother checking.
Smishing attackers use a messages that a user might be expecting. Other lure victims with promises of prize money if they enter private information. The following image is another smishing attack using Amazon’s brand name:
Again, the language in the above attack should make recipients suspicious, but users trust informal conversations in text. The link in this message points to a .info site unrelated to Amazon web properties.
The domain has already been removed and no longer accessible. But chances are the link pointed to a page that attempts to collect private data, including credentials. The URL in these attacks usually redirects users to an attacker-controlled server where the phishing content displays.
How to Protect from Smishing Attacks
Like email phishing, protection from smishing depends on the targeted user’s ability to identify a smishing attack and ignore or report the message. If a phone number is often used in scams, the telecom might warn users who receive messages from a known scam number or drop the message altogether.
Smishing messages are dangerous only if the targeted user acts on it by clicking the link or sending the attacker private data.
Here are a few ways to detect smishing and to avoid becoming a victim:
- The message offers quick money either from winning prizes or collecting cash after entering information. Coupon code offerings are also popular.
- Financial institutions will never send a text asking for credentials or transfer of money. Do not ever send credit card numbers, ATM PINs, or banking information to someone in text messages.
- Avoid responding to a phone number that you don’t recognize.
- Messages received from a number with only a few digits probably came from an email address, which is a sign of spam.
- Banking information stored on the smartphone is a target for attackers. Avoid storing this information on a mobile device. Should an attacker install malware on the smartphone, this banking information could be compromised.
- Telecoms offer numbers to report attacks. To protect other users, send the message to your telecom’s number so that it can be investigated. The FCC also takes complaints and investigate text-message scams.