Have you heard about Smishing and wondered what it is? Today I’m going to explain everything you need to know about this relatively new and growing security threat.
I’ll explain what Smishing is, how it works and what Smishers hope to gain. Then I’ll teach you how to spot a Smishing attempt and how to avoid it happening to you.
I won’t get too technical, just teach you how to be aware and stay safe online.
What Is Smishing?
The term Smishing is derived from the words SMS and Phishing. Smishing refers to a type of text messaging fraud in which mobile phone users are tricked into paying money, revealing personal information or giving mobile access to an unknown third-party.
These unwanted text messages are most commonly sent through mobile network operators’ SMS messaging service, or from a foreign mobile phone contacting the victim’s mobile device via a special gateway.
It’s a growing trend due to the nature of the technology which makes it easy for criminals to send thousands of text messages in a short amount of time from anywhere in the world.
By now most of us are familiar with Phishing attacks, where fraudsters used email to trick people into giving up personal information used in hacking attempts. Now we have several variations using different communication methods but the same overall objectives.
Vishing is another form of attack where they use voice calls to contact their victims. Smishing is the next variation using SMS text messages.
How Smishing Works
Smishing attacks are basically Phishing that use text messages instead of email to deliver the message. They follow the same basic approach as other types of email scams, so be on guard for them too!
The scammers use Smishing for different harmful outcomes listed below but the main process follows basic manipulation and trickery.
They can be widespread attacks covering large numbers of phone users or more targeted aimed at specific individuals.
The most common type involves sending SMS texts to imitate a legitimate company such as your Bank, Insurance company or social media platforms. They then try to trick you into visiting a link in the message.
Here the payoff could be as simple as infecting your device as the link downloads malware. Or the link could direct you to a fake website designed to capture login credentials or other personal information. Once they have this information they can access your compromised accounts.
Smishing attacks can come in several variations depending on the end goal of the scammers:
- Direct Smishing – using text messages to ask for personal information such as usernames and passwords that could be used in identity theft attempts. Often they will pretend to come from your Bank or Credit Card company and direct you to a fake site set up to collect your login and other personal details.
- Spam SMS attack – where victims receive unsolicited messages offering some form of reward such as a discount, lottery winnings or information on a new product. Some of these text messages also direct the victim to click on a link and visit an infected website (a “drive-by download” attack).
- Short Message Service (SMS) attacks – these messages promote a product, service or offer of some kind. These attacks might also contain short message service branding to give the scam more credibility.
- Malware – some text messages contain viruses and malware that are triggered by certain keywords within the message.
Smishing can in some cases lead to your phone being hacked – see my article on how your phone can be hacked by sending a text message. It will also be useful to read my guide on how to hack text messages – this will show you what is at stake here.
Smishers have become more sophisticated and are using a wide variety of attack methods. It is pretty scary stuff.
How to Spot Smishing
The best way to spot a Smishing attempt is following the same advice as Phishing and Vishing – don’t ever click on a link in an unsolicited message.
If you receive any suspicious text messages, delete them immediately. Don’t open any links or reply with personal information, even if the message appears to come from a legitimate source.
Legitimate companies will never ask for personal information via text message, email or social media messaging.
Smishing messages often have a mix of upper and lower case letters, rather than all upper case which is a common characteristic for phishing emails. Also they may include words in other languages or have poor grammar.
Does the message address you by name? Often they will be to Dear Sir or something random – another possible sign of a fake.
Some attempts can be easy to spot but unfortunately some are very convincing.
How to Avoid Smishing Scams
Here are some tips to help you avoid becoming a victim of Smishing scams:
- Remember, treat all unsolicited messages with a healthy amount of suspicion. If you receive a text message from an unknown sender it’s worth checking if it’s legitimate before replying or clicking any links.
- Never reply to SMS messages asking for personal information – delete them instead. Legitimate companies will not ask you to hand over your login details or other personal information via text message.
- Don’t click on any links in text messages you receive unsolicited – even if they appear to come from a legitimate source. Instead, open your browser and type the organization’s web address directly into the browser address bar (or look them up in an on-line phone directory).
- Never download files from a text message if you don’t know who sent them.
- You should also be aware that cyber criminals may use legitimate telecommunication companies such as T-Mobile, Vodafone and Verizon to send you text messages. Avoid replying or sharing any personal information with these services.
- Take care of your Cell Phone security. Keep your software updated and use a good antivirus app.
- Beware of fake 2FA or OTP Codes. Two Factor Authentication and One Time Passcodes can be hijacked by hackers. See that guide for more information. Don’t blindly trust any SMS text code.
If in doubt just Delete!
The main thing to remember with Smishing is that no reputable financial firms or companies will ever use text messages to ask for your personal information. If you receive a text message that contains any of the above, just delete it.
If you have any suspicions about what is being asked for, phone the company or service directly and ask if they are currently doing anything like this. Or call your phone company and ask for advice.
Remember Smishing is basically phishing but for text messages, so treat it accordingly!
Keeping your phone secure is an important step to stay safe from all online threats. Have a good look around this website, I have a whole section on Online Security covering a wide range of topics. Stay safe and good luck!