Smishing: What is SMS Smishing and How to Prevent It?

Smishing is one of the most common types of cybersecurity attacks due to its simplicity and ease of execution. Below, we'll explore the meaning of this rising cyber threat, plus its risks, and how to protect yourself from smishing.

What is Smishing?

You've likely already heard about phishing attacks, and almost certainly seen them in your inbox. They're a cybersecurity risk that has reached record levels in 2022. Phishing attacks take place via email, whereas "Smishing" uses SMS messages (aka texting).

The concept is simple. Cybercriminals send text messages to victims' phones, encouraging them to click on a malicious link. Following the link usually results in the victim's personal information being harvested by criminals. This information is used to either steal the victim's identity or access valuable financial or personal accounts.

Smishing techniques to be wary of:

1. Hijacking verification codes:

A newer kind of attack has surfaced with the rising popularity of two-factor authentication (you may recognize this authentication from your social media accounts or online services).

A hacker poses as a bank or other official institution and calls a victim. The criminal claims that the victim's account has been hacked. In order to "verify their identity," the hacker may ask for a code that is sent to their phone. This is in fact their two-factor authentication code; the hacker already has their password, and providing the code allows them to get past the second layer of authentication. With that, they have access to the victim's account.

2. Malicious websites:

The smishing attack lures a victim onto a malicious website that often appears to be legitimate, like a carbon copy of your bank’s website. The cybercriminal may have copied a genuine website that contains a form to gather the victim's data. In some cases, attackers mimic delivery websites, or airlines, claiming that unpaid customs fees are due. As soon as a victim provides their credit card details, their account may be emptied.

3. Malware:

The link encourages a victim to download malware (malicious software), which can perform a range of malicious acts. For example, keyloggers that record keystrokes, or remote access software (often seen in a Microsoft Support scam).

How does a Smishing attack work?

Smishing attacks rely on a number of factors that mean some victims are more willing to let their guard down and hand over their personal information.

Attackers often use varying degrees of deception to trick victims into believing that they're safe, even when the opposite is true. For example:

1. Spoofing numbers:

Some phone operators allow outbound callers to modify their number. In other words, they can appear as a different number. By changing their number to match one from an official source, such as your bank, your mobile phone will combine their text message into any existing message chains that you have stored on your phone. This lends legitimacy to the text message, making it appear as if it has indeed come from a real company.

2. Social engineering:

The idea behind social engineering is that hackers will use a combination of tactics to gain your trust and lower your defenses. By imitating legitimate companies and stressing out their victims, they can coerce people into doing something they wouldn't ordinarily do. Attacks also focus on scenarios that require urgency, such as a pending delivery, or a supposedly limited or blocked bank account.

Once a victims' data has been compromised, a cybercriminal will typically use that data to carry out the next phase of their attack. Most often, this involves using compromised card details to empty bank accounts or run up lines of credit.

However, even when card details are not compromised, victims are still at risk of identity theft. Malicious actors can capture enough personal information to open new credit lines or bank accounts in the name of their victims.

These criminals may also sell personal information on the dark web to the highest bidder, further risking victims' personal privacy and identity.

Smishing Attack Examples

To highlight some of the above information at work, we've provided smishing examples below.

1. “Unusual account activity”: A text message claims that unusual activity has been detected on one of your accounts; Amazon is a common target. You're asked to click the link, log in, and change your password. In fact, you'll be providing your password to a cybercriminal.
2. “Your bank account has been blocked”: These messages play on that sense of urgency you feel when you think that something is wrong with your bank account. In a hurry, you'll log in via the link in the text message, but again, you'll be supplying the attacker with your bank account information.
3. “Unusual transaction notification”: Nobody wants to think that their credit card has been hacked. These messages advise that an unusual transaction has been recorded against your credit card in the hope that you'll rush to log in via the link and give up your credentials.
4. “A misplaced phone”: Some smishing attacks have imitated family members, conning parents out of money. These attacks usually start out by impersonating a son or daughter with varying success. Some people have lost money by transferring it to whom they believed was their child, when in fact it was a criminal.

How to prevent Smishing

Unfortunately, there's no way to completely stop spam text messages, nor to avoid being targeted by a cybercriminal who has gotten hold of your number. However, you can minimize the risk of your details falling into the wrong hands by:

1. Download a spam-blocking app, like Truecaller.

Truecaller is the world's leading caller ID and spam-blocking solution available for iPhone and Android. The app works in real-time, with over 320 million people actively detecting a reporting scam and spam numbers. You get a dedicated blacklist to which you can add numbers. Blocked contacts can no longer disturb you with smishing attempts or unwanted phone calls.

You can also blanket ban unknown or "blocked" phone numbers from being able to contact you, ensuring that you always know who's trying to get in touch. Alternatively, Truecaller's Caller ID feature can automatically identify any phone number. You'll get a breakdown that includes their name, number, and location, as well as whether they're considered a spam caller.

2. Avoid marketing checkboxes:

Be careful when signing up to new subscriptions or services. Make sure that you're opting out of marketing wherever possible so that your data isn't collated by so many sources. Companies' servers are often breached, and if your data is held by a company that suffers a breach, your details could fall into the wrong hands.

3. Don’t click on links within text messages:

It's not worth the risk. Regardless of whom the text has come from, never click on links within SMS messages. Instead, if you're concerned there may be a problem with one of your accounts, go directly to the company's website and sign in as usual.

4. Don’t respond to suspicious text messages:

Sometimes, hackers will send out a message as a means of testing whether the number is still active. In these communities, cybercriminals often share intelligence. If you respond to a message, you could end up worsening the problem and receiving even more spam in future.

5. Use two-factor authentication:

Wherever possible, you should enable two-factor authentication. In most cases, people use their smartphones as a secondary authentication layer, meaning that nobody will be able to get into your accounts without having your phone physically in their possession.

6. Don’t share your authentication codes:

No matter what, don't provide your unique authentication codes to anyone. There are very few legitimate reasons for which a caller would need access to a code sent to your phone.

Remember, even those of us who know about phishing and smishing can make a mistake in the heat of the moment. By using Truecaller, you could vastly reduce the chance of that happening.

What to do if you've been a victim of Smishing?

1. Report the number on Truecaller to help others avoid the scam.
2. In the United States, the Federal Trade Commission (FTC) gathers scam reports to better tackle cybercrime. You can report the scam online to help further their investigations, or dial 1-877-382-4357. If in another country, your government should provide the equivalent opportunity.
3. Otherwise, be sure to secure your accounts as soon as possible. Change your passwords, preferably from another device in case you've been affected by malware. Above all, don't respond to smishing attacks, and don't click on any suspicious links in the future.