Smishing is a phishing cybersecurity attack carried out over mobile text messaging, also known as SMS phishing.
As a variant of phishing, victims are deceived into giving sensitive information to a disguised attacker. SMS phishing can be assisted by malware or fraud websites. It occurs on many mobile text messaging platforms, including non-SMS channels like data-based mobile messaging apps.
As the definition of smishing suggests, the term combines "SMS" (short message services, better known as texting) and "phishing." To further define smishing, it is categorized as a type of social engineering attack that relies on exploiting human trust rather than technical exploits.
When cybercriminals "phish," they send fraudulent emails that seek to trick the recipient into clicking on a malicious link. Smishing simply uses text messages instead of email.
In essence, these cybercriminals are out to steal your personal data, which they can then use to commit fraud or other cybercrimes. Typically, this includes stealing money — usually yours, but sometimes also your company’s money.
Cybercriminals often use one of two methods to steal this data:
Smishing text messages are often purporting to be from your bank, asking you for personal or financial information such as your account or ATM number. Providing the information is equivalent to handing thieves the keys to your bank balance.
As more and more people use their personal smartphones for work (a trend called BYOD, or "bring your own device") smishing is becoming a business threat as well as a consumer threat. So, it should come as no surprise that smishing has become the leading form of malicious text messages.
Cybercrime aimed at mobile devices is rising, just as mobile device usage is. Aside from texting being the most common use of smartphones, a few other factors make this a particularly insidious security threat. To explain, let’s unpack how smishing attacks work.
Deception and fraud are the core components of any SMS phishing attack. As the attacker assumes an identity that you might trust, you are more likely to succumb to their requests.
Social engineering principles allow smishing attackers to manipulate a victim’s decision-making. The driving factors of this deception are three-fold:
Using these methods, attackers write messages that will get a recipient to take action.
Typically, attackers want the recipient to open a URL link within the text message, where they then are led to a phishing tool prompting them to disclose their private information. This phishing tool often comes in the form of a website or app that also poses under a false identity.
Targets are selected in many ways but usually are based on their affiliation to an organization or a regional location. Employees or customers of a specific institution, mobile network subscribers, university students, and even residents of a given area can be targets.
An attacker’s disguise is usually related to the institution they wish to gain access to. However, it can just as easily be any mask that will help them acquire your identity or financial information.
Using a method known as spoofing, an attacker can hide their true phone number behind a decoy. Smishing attackers may also use “burner phones” — cheap, disposable prepaid phones — to further mask the origin of the attack. Attackers are known to use email-to-text services as another means of hiding their numbers.
Step-by-step, an attacker, will carry out their attack in a few key phases:
An attacker’s smishing scheme is successful once they’ve used your private information to commit the theft they aimed for. This goal could include but is not limited to directly stealing from a bank account, committing identity fraud to illegally open credit cards, or leaking private corporate data.
As stated earlier, smishing attacks are delivered through both traditional text messaging and non-SMS messaging apps. However, SMS phishing attacks primarily spread uninterrupted and unnoticed due to their deceptive nature.
Smishing deception is enhanced due to users having false confidence in text message safety.
Firstly, most people know about the risks of email fraud. You’ve probably learned to be suspicious of generic emails that say "Hi—check out this link." The exclusion of an authentic personal message tends to be a substantial red flag of email spam scams.
When people are on their phones, they are less wary. Many assume that their smartphones are more secure than computers. But smartphone security has limitations and cannot always directly protect against smishing.
Regardless of the means being used, these schemes ultimately require very little beyond your trust and a lapse in judgment to succeed. As a result, smishing can attack any mobile device with text messaging capabilities.
While Android devices are the market majority platform and an ideal target for malware text messages, iOS devices are equal opportunity targets. Apple’s iOS mobile technology has a good reputation for security, but no mobile operating system can by itself protect you from phishing-style attacks. A false sense of security can leave users especially vulnerable, regardless of platform.
Another risk factor is that you use your smartphone on the go, often when you’re distracted or in a hurry. This means you’re more likely to get caught with your guard down and respond without thinking when you receive a message asking for bank information or to redeem a coupon.
Each smishing attack uses similar methods, while the presentation may vary significantly. Attackers can use a wide variety of identities and premises to keep these SMS attacks fresh.
Unfortunately, a comprehensive list of smishing types nearly impossible due to the endless reinvention of these attacks. Using a few established scam premises, we can unveil characteristics to help you spot a smishing attack before you become a victim.
Here are some common premises of smishing attacks:
COVID-19 smishing scams are based on legitimate aid programs designed by government, healthcare, and financial organizations for recovery from the COVID-19 pandemic.
Attackers have used these schemes to manipulate victims’ health and finance fears for committing fraud. Warning signs can include:
Financial services smishing attacks are masked as notifications from financial institutions. Nearly everyone uses banking and credit card services, making them susceptible to both generic and institution-specific messages. Loans and investing are also common premises in this category.
An attacker poses as a bank or other financial institution for an ideal disguise to commit financial fraud. Features of a financial services smishing scam may include an urgent request to unlock your account, being asked to verify suspicious account activity, and more.
Gift smishing suggests the promise of free services or products, often from a reputable retailer or other company. These can be giveaway contests, shopping rewards, or any number of other free offers. When an attacker elevates your excitement by proposing the idea of “free,” this serves as a logic override to get you to take action faster. Signs of this attack can include limited time offers or exclusive selection for a free gift card.
Confirmation smishing involves a false confirmation of a recent purchase or billing invoice for a service. A link may be provided for a follow-up to manipulate your curiosity or prompt immediate action to trigger fear of unwanted charges. Evidence of this scam may involve strings of order confirmation texts or the absence of a business name.
Customer support smishing attackers pose as a trusted company’s support representative to help you resolve an issue. High-use tech and e-commerce companies like Apple, Google, and Amazon are effective disguises for attackers in this premise.
Typically, an attacker will claim there is an error with your account and give you steps to resolve it. The request can be as simple as using a fraudulent login page, while more complex schemes may ask you to provide a real account recovery code in an attempt to reset your password. Warnings of a support-based smishing scheme include an issue with billing, account access, unusual activity, or resolving your recent customer complaint.
With SMS being available to nearly everyone with a mobile phone, smishing attacks have been known to occur globally. Here are some smishing attack examples to be aware of.
In September 2020, a smishing campaign surfaced to bait people into providing credit card info for a free iPhone 12.
The scheme uses an order confirmation premise, in which the text message claims a package delivery has been sent to an incorrect address. The in-text URL link sends targets to a phishing tool posing as an Apple chatbot. The tool guides the victim through a process to claim their free iPhone 12 as part of an early access trial program but inevitably asks for credit card info to cover a small shipping fee.
In September 2020, reports of a false USPS and FedEx package delivery SMS scam began circulating. This smishing attack may attempt to steal your account credentials for various services or your credit card information.
The messages led with a claim of missed or incorrect package delivery and provide a link to a website phishing tool pretending to be a FedEx or USPS giveaway survey. While the premise of these phishing sites may vary, many have been identified as attempting to gather account logins for services like Google.
In April 2020, the Better Business Bureau received a rise in reports of U.S. government impersonators sending text messages asking people to take a mandatory COVID-19 test via a linked website.
Of course, many have instantly spotted this scam since there is no online test for COVID-19. However, the premise of these smishing attacks may easily evolve as preying on pandemic fears is an effective method of victimizing the public.
The good news is that the potential ramifications of these attacks are easy to protect against. You can keep yourself safe by doing nothing at all. In essence, the attacks can only do damage if you take the bait.
That said, be mindful that text messaging is a legitimate means for many retailers and institutions to reach you. Not all messages should be ignored, but you should act safely regardless.
There are a few things to keep in mind that will help you protect yourself against these attacks.
Remember that, like email phishing, smishing is a crime of trickery — it depends on fooling the victim into cooperating by clicking a link or providing information. The simplest protection against these attacks is to do nothing at all. If you don’t respond, a malicious text cannot do anything.
Smishing attacks are cunning and may have already victimized you, so you’ll need to have a recovery plan in place.
Take these important actions to limit the damage of a successful smishing attempt:
Each of these steps has a substantial weight for your protection after a smishing attack. However, reporting an attack not only helps you recover, but keeps others from falling victim as well.