Smishing: the best tips to fight against SMS phishing

The term smishing consists of the words “SMS” and “phishing”. In a way similar to phishing, cyber criminals impersonate representatives of a trustworthy company or organization. Instead of emails, however, attackers use SMS (Short Message Service) when SMS phishing – in other words, text messages – in order to convince the victim to disclose account information or to unknowingly install malware and trojans.

Even if the smishing definition may make it sound like a small risk, it can be hard to identify a phishing SMS. Cyber criminals deliberately play with a victim’s emotions in order to pressure them into making irrational decisions. In our guide, we explain how smishers operate and show you what SMS phishing typically looks like, and how to verify the authenticity of text messages.

Smishers have developed different ways of operating in order to get their hands on smartphone users’ data. The basic model, however, is usually the same: The scammer impersonates either a company representative or an acquaintance, and tells a story that aims to persuade the victim to disclose their personal data or download harmful software. This element is essential for successful smishing and is referred to as social engineering. The attacker tries to establish a trusted relationship to ensnare the victim emotionally. The targeted person is supposed to get the feeling that now is the time to throw caution to the wind and follow the scammer’s instructions.

In the following sections, we introduce the most distinctive components and content types of SMS phishing to show how fraudulent text messages work and what one must pay attention to in order to verify the authenticity of a text message.

The classic example of SMS phishing is a short text message that is written in a way that suggests it could be written by a friend. The message is supposed to generate curiosity. It may ask a recipient to click on a link contained within the SMS. Once a person clicks on the link, they unwittingly launch an automatic download in the background of their operating system which will give the attacker access to their smartphone. Professional smishers have mastered the art of hiding such downloads and users won’t notice them at all. As a result, their personal data will be handed over without them knowing.

Email phishing tactics direct people to a website that contain a form to be filled out. Smishing operates in a similar way: Criminals send a text with a link which in turn redirects the recipient to a form. When they enter their personal data, it will be sent directly to the scammer. This smishing technique is popular with criminals trying to attain user bank account or credit card information. The SMS will typically point to a (fake) security problem that supposedly requires the recipient to enter their data immediately to rectify the issue.

With spear smishing, the attack targets a specific individual. For this purpose, attackers assess the victim’s profile on social media networks, for example, and on that basis design bespoke phishing text messages that contain personal data and, thus, are perfectly tailored to the victim. As with spear phishing which uses personalized emails, this method allows the attacker to create a higher degree of credibility.

SMS phishing is also used to redirect victims to an alleged company hotline. A text instructs the recipient to contact a customer support hotline via a specified number. As soon as the scammer is on the line, they will try to elicit information from the caller. The advantage for the scammer here lies in their increased credibility. Many people are justifiably mistrustful of having to enter personal data into an online form. The indirect route via a telephone hotline assures respectability. With vishing aka voice phishing a similar way of operating exists through which criminals attempt to capture sensitive data via initiated voice-over-IP calls.

SMS phishing methods always focus on a pressing issue or event that requires immediate action or attention from the victim. That is why one should never react to a text message on impulse and instead thoroughly inspect its contents. We have compiled the most important criteria to help distinguish a real SMS from a phishing SMS. The central question should always be: How trustworthy is the sender and the content of the SMS?

Tip 1: Check the SMS for spelling and grammar mistakes. Cyber criminals often work internationally and utilize translation tools. This will become apparent in any text messages received.

Tip 2: Check the sender’s telephone number to be sure that it really belongs to the alleged company. Keep in mind, however, that a real phone number doesn’t automatically translate into a trustworthy message. Smishers can utilize spoofing to make phone numbers appear real.

Tip 3: Ask yourself which occasions would warrant the use of SMS an appropriate communication tool. If, for example, your bank account had been compromised, a financial institution would be highly unlikely to text you. Similarly, the probability of receiving a SMS notification for a contest won is close to zero.

Tip 4: Never share financial or payment information using a web form received via SMS. Similarly, never click on links from unknown senders or those whom you do not trust. Remain mistrustful of text messages that convey great urgency.

Tip 5: Install an anti-virus program on your smartphone and perform regular updates. Though security software cannot guarantee that your smartphone won’t become infected with harmful software, it does offer an added level of security that you should not go without.