With roughly 7.3 billion people—that’s a whopping 92% of the global population—owning a phone that can send and receive text and chat messages, it’s no wonder that hackers have taken to SMS as a new way to lead cyber attacks.

Moreover, nine in 10 people will open an unknown SMS compared to just 20% or fewer who will open an email from an unknown sender. With those kinds of numbers, the odds are in hackers’ favor.

These phishing attacks using SMS communication are known as smishing (for ‘SMS phishing’). The threat actor’s goal in these attacks is the same as in an email attack. Hackers send links to thousands of phone numbers and provide a fraudulent link to click to convince recipients to divulge personal information or install malware on their devices.

Hackers use different types of smishing to create fraudulent scenarios and target other platforms. Similar attacks are possible on messaging apps, including iMessage, WhatsApp, and Facebook Messenger. They may even apply to Google Chat and Microsoft Teams.

Let’s look at the seven most common smishing attacks and how you can defend yourself.

The Delivery Notification

With the rise of eCommerce, people are always waiting for packages and checking on the progress of their deliveries. Since many websites and delivery companies offer text message updates, most users don’t think twice when they receive a text message offering a tracking link.

Some delivery companies use SMS to update their consumers, but they use links directing consumers to their domains. Scams typically use URL shorteners or have domain names that spoof legitimate ones, so always be watchful.

The Bank/Credit Card Text

Smishing attacks use financial institutions as cover because any type of notification about the interruption of funds or unpaid bills is a stressful, urgent matter. If people think there is an issue with their bank account, they are more likely to click a link and settle it immediately.

While banks and credit card companies send text messages to their customers, they never include links. Legitimate messages from financial institutions will always be simple and describe the nature of the issue in general terms. It will invite the user to sign into their account to ensure they log into the site.

The Raffle Win

While quickly dismissed by most people as spam (since most people don’t enter raffles), if you did happen to enter a contest recently, these messages can easily lead to malware on your device.

For these attacks, it’s important to remember that legitimate contest organizers will use email to notify winners since this makes it easy for them to communicate with you and gather the information needed to send you the prize.

The Password Reset

With the increase in password breaches from several well-known websites, many users have turned to two-factor authentication (2FA) to protect themselves and their information. This additional security measure has created a new scam where hackers use SMS to steal passwords.

After establishing a victim’s phone number and email address, hackers will send a smishing text to the user saying their account experienced a breach. Usually, their email has been compromised. The hackers then use the “forgot my password” function on the website to send a 2FA code to the victim’s phone.

The smishing message will ask the user to give the hackers the code they received via text to secure their account. Doing so gives scammers control of the account.

Remind your users that they should never give a 2FA code to anyone else for any reason. Recommend using an authenticator app instead of 2FA. Authenticators are far more secure and tamper-proof.

The Tax Season Scam

‘Tis the season to be leery. Tax season is rife with smishing scams. The most common scams try to convince their victim that they owe money after doing their taxes and direct them to a fraudulent website to pay the required amount.

Another common tactic is to tell the victim they will receive a large refund, inviting them to click on a link to claim their money. Doing so installs malware on their phone.

Again, remind your users that such payments and tax refunds are only paid via check or bank transfer. Additionally, tax and revenue agencies only communicate using email and physical letters, never via SMS.

CEO Fraud

Everyone wants to impress their superiors at work; it’s human nature. So, when your CEO sends you a text message asking for your urgent help, you’re bound to jump to the task. That’s the sentiment that hackers rely on using the CEO fraud technique.

Text messages in these smishing attacks will be cleverly crafted and urge the user to complete a task immediately. Often sent right before the end of the business day, they demand the information be sent before the victim leaves the office.

It’s important to remind your users that your company’s CEO will always use proper channels to contact them, such as reaching out to their direct superior. Once again, these attacks are always sent from bogus emails and rely on urgency and the fallibility of human nature to succeed.

The Ridiculous Message

While most of the scams mentioned here are clever and expertly crafted, some are completely ridiculous on purpose. Think of the infamous Nigerian Prince scam—making outrageous claims and riddled with spelling and grammar mistakes.

Hackers use these ridiculous messages to weed out the people who wouldn’t fall for this scam. Often targeting older people who might be lonely and happy to respond to any text message they receive, these smishing attempts will often claim to be long-lost family members and ask for money to get out of the bind.

While you and your users may not be targets for this scam, your older relatives might fall prey to them. Always be on the lookout if they need to send money to an uncle you’ve never heard of or even if they mention helping a new friend.

Ignore and Move On

The best defense against smishing is to do nothing and ignore these messages. If something doesn’t feel right when you receive a text message, don’t engage with it. Remember that legitimate messages from government agencies and financial institutions will come through official channels if an issue warrants your attention.

Hackers’ pivot to SMS-based attacks shows how enterprising they are and how no networked technology is safe from their attempts to defraud. Beyond simple common sense, consider security awareness training to help protect your organization.

Security awareness training helps reduce risk, change unsafe online behaviors in end-users, and grow a security-minded) organizational culture.

Take proactive steps against smishing

With the near-universal presence of SMS-capable phones in our lives, it is little wonder that hackers leverage SMS as a means for cyber attack.

While smishing attacks can take many forms, their goals remain the same as their counterpart, email phishing: stealing people’s confidential personal and corporate information.

The good news is that by being proactive and regularly coaching your employees with security awareness training, you can give your employees the tools to respond to everything from smishing attacks to ransomware to social network breaches.



Cyber Security Hub: Access Exclusive Cyber Security Content

To learn and get shareable materials about smishing, access our free Cyber Security Hub—your one-stop cyber security awareness and knowledge center.