With roughly 5 billion people—a whopping 65% of the global population—sending and receiving SMS messages, it’s no wonder that hackers have taken to SMS as a new way to lead cyber attacks.
In 2022, 68.4 million Americans fell victim to a phone scam. And only 65% of Americans say they would delete a text if it came from an unknown sender. With these kinds of numbers, the odds are in hackers’ favor.
These phishing attacks using SMS communication are known as smishing (for ‘SMS phishing’). The threat actor’s goal in these attacks is essentially the same as in an email phishing attack.
Hackers send links to thousands of phone numbers and provide a fraudulent link to click to convince recipients to divulge personal information or install malware on their devices.
Hackers use different types of smishing to create fraudulent scenarios and target other platforms. Similar attacks on messaging apps, including iMessage, WhatsApp, and Facebook Messenger, are possible. They may even apply to Google Chat and Microsoft Teams.
Let’s look at the seven most common smishing attacks and how you can protect yourself.
7 Examples of Smishing
The Delivery Notification
With the rise of online shopping, people are always waiting for packages and checking on the progress of their deliveries. Since many websites and delivery companies offer text message updates, most users don’t think twice when they receive a text message offering a tracking link.
Some delivery companies use SMS to update their consumers, and they use links directing consumers to their domains. These scams typically use URL shorteners or have domain names that spoof legitimate ones, so always be watchful.
The Bank/Credit Card Text
Smishing attacks use financial institutions as cover because any type of notification about the interruption of funds or unpaid bills is a stressful, urgent matter. If people think there is an issue with their bank account, they are more likely to click a link and settle it immediately.
While banks and credit card companies send text messages to their customers, they never include links. Legitimate messages from financial institutions will always be simple and describe the nature of the issue in general terms. It will invite the user to sign into their account to ensure they log into the site.
The Raffle Win
While quickly dismissed by most people as spam (since most people don’t enter raffles), if you did happen to enter a contest recently, these messages can easily lead to malware on your device.
For these attacks, it’s important to remember that legitimate contest organizers will use email to notify winners. This makes it easy for them to communicate with you and gather the information needed to send you the prize.
The Password Reset
With the increase in password breaches from several well-known websites, many users have turned to two-factor authentication (2FA) to protect themselves and their information. This additional security measure has created a new scam where hackers use SMS to steal passwords.
After establishing a victim’s phone number and email address, hackers will send a smishing text to the user saying their account experienced a breach. Usually, their email has been compromised. The hackers then use the “forgot my password” function on the website to send a 2FA code to the victim’s phone.
The smishing message will ask the user to give the hackers the code they received via text to secure their account. Doing so gives scammers control of the account.
Remind your users that they should never give a 2FA code to anyone else for any reason. Recommend using an authenticator app instead of 2FA. Authenticators are far more secure and tamper-proof.
The Tax Season Scam
‘Tis the season to be leery. Tax season is rife with smishing scams. The most common scams try to convince their victim that they owe money after doing their taxes and direct them to a fraudulent website to pay the required amount.
Another common tactic is telling the victim they will receive a large refund, inviting them to click a link to claim their money. Doing so installs malware on their phone.
Again, remind your users that such payments and tax refunds are only paid via check or bank transfer. Additionally, tax and revenue agencies only communicate using email and physical letters, never via SMS.
CEO Fraud
Everyone wants to impress their superiors at work. So, when your CEO sends you a text message asking for your urgent help, you’re bound to jump to the task. That’s the sentiment that hackers rely on using the CEO fraud technique.
Text messages in these smishing attacks will be cleverly crafted, urging the user to complete a task immediately. Often sent right before the end of the business day, they demand the information be sent before the victim leaves the office.
It’s important to remind your users that your company’s CEO will always use proper channels to contact them, such as reaching out to their direct superior. Once again, these attacks are always sent from bogus emails and rely on urgency and the fallibility of human nature to succeed.
The Ridiculous Message
While most of the scams mentioned here are clever and expertly crafted, some are just outright ridiculous on purpose. Think of the infamous Nigerian Prince scam—making outrageous claims and riddled with spelling and grammar mistakes.
Hackers use these ridiculous messages to weed out the people who wouldn’t fall for this scam. Often targeting older people who might be lonely and happy to respond to any text message they receive, these smishing attempts will often claim to be long-lost family members and ask for money to get out of the bind.
While you and your users may not be targets for this scam, your older relatives might fall prey to them. Always be on the lookout if they need to send money to an uncle you’ve never heard of or even if they mention helping a new friend.
How to Protect Yourself from Smishing
Anyone can receive a smishing text—you might be next or, more probably, you’ve already received them. You must know what to do if you become an attacker’s next target. Here are some tips to protect yourself from text scams and smishing attacks.
- Educate yourself on the risks of malicious text messages. If you are a company owner, invest in security awareness training to build a cyber-aware organizational culture.
- The best defense against smishing is to do nothing and ignore these messages. If something doesn’t feel right when you receive a text message, don’t engage with it. Remember that legitimate messages from government agencies and financial institutions will come through official channels if an issue warrants your attention.
- Inform yourself and your employees about smishing tactics, social engineering attacks, and other scams. Be aware of what cyber criminals are doing to trick victims through text.
- Regularly monitor smishing awareness among yourself and your employees. Stress that they need to read every text they receive carefully and, when in doubt, never respond.
- Hold security awareness simulations to assess your workforce’s resilience against smishing attacks. And when necessary, conduct training through gamification and micro and nano learning modules.
- Install anti-virus software and malware protection on all mobile devices, especially for companies with a bring-your-own-device (BYOD) policy.
- Regularly communicate with employees about smishing and hold periodical awareness campaigns.
Take proactive steps against smishing
With the near-universal presence of SMS-capable phones in our lives, it is little wonder that hackers leverage SMS for cyber attacks.
While smishing attacks can take many forms, their goals remain the same as their counterpart, email phishing: stealing people’s confidential personal and corporate information.
The good news is that by being proactive and regularly coaching your employees with security awareness training, you can give your employees the tools to respond to everything from smishing attacks to ransomware to social network breaches.
Cyber Security Hub: Access Exclusive Cyber Security Content
To learn and get shareable materials about smishing, access our free Cyber Security Hub—your one-stop cyber security awareness and knowledge center.