In 2020 alone, an estimated 2.1 trillion text messages were exchanged worldwide, making it one of the most ubiquitous methods of communication. Sadly, that also means that hackers have taken SMS as a new way to lead cyber attacks.
Smishing is the term used for phishing attacks carried out via SMS communication. The goal of smishing is identical to email attacks. Hackers send links automatically to thousands of numbers, giving them a fraudulent link to click on to convince their victims to divulge personal information or to install malware on their devices.
Different types of smishing are determined more by the context they use and who they impersonate. This article will detail the seven most common ways smishing attacks are committed.
1. The Delivery Notification
The rise of eCommerce means people are collectively always waiting for a package and checking on the delivery’s progress. Since many websites and delivery companies offer text message updates, many people don’t think twice when they receive a text message with a link for updates.
Some delivery companies use SMS to update their consumers, but they use links directing to their domains. Scams typically use URL shorteners or have domain names that try to approximate a legit one.
2. The Bank/Credit Card Text
Financial institutions are often used as context for smishing attacks because any type of notification about the interruption of funds or unpaid bills is a stressful urgent matter. Most people are bound to click on the link and settle the issue immediately.
While banks and credit card companies send text messages to their customers, they never include links. It will always be a simple message vaguely describing the nature of the issue with an invitation to sign in to your account to ensure customers are using the legitimate site to log in.
3. The Raffle Win
Most people quickly identify these messages as spam since they don’t enter raffles. But if you did enter a contest recently, these messages can easily lead to malware on your device.
For these attacks, it’s important to remember that all legitimate contest wins are communicated over email since it’s a much easier means of communicating the necessary information to send you the prize.
4. The Password Reset
With the increase in password breaches from several well-known websites, many users have turned to two-factor authentication to protect themselves and their information. This has created a new scam where hackers use SMS to steal passwords.
After establishing a victim’s phone number and email address, hackers will then send a smishing text to the user saying their account experienced a breach. Usually, their email has been compromised. The hackers then use the “forgot my password” function on the website to send a 2FA code to the victim’s phone.
The smishing message will ask the user to give the hackers the code they received via text to secure their account. Instead, the scammers will use the code to gain control of the account.
Remind your users that they should never give a 2FA code to anyone and only be used by them to log in. Recommend using an authenticator app instead since they are much more secure and can’t be tampered with.
5. The Tax Season Scam
Tax season is rife with smishing scams of all types. The most common ones try to convince their victim that they owe money after doing their taxes and direct them to a fraudulent website to pay the required amount.
Another common tactic is to tell the victim they are entitled to a large refund, inviting them to click on a link to claim their money. However, there was never any money, and the link installed malware on their phone.
Again, remind your users that such payments and tax returns are only paid via check or bank transfer. Additionally, notifications are only done via email and physical letters, never via SMS.
6. CEO Fraud
Everyone wants to impress their superiors at work; it’s human nature. So, when the CEO of the company you work for sends you a text message urgently asking you to help him, you’re bound to jump to the task. That’s the sentiment that hackers using this technique rely on.
Text messages in these attacks will be cleverly crafted and urge the user to complete a task right away. These are often sent right before the end of the business day asking for the information to be sent before the victim leaves the office.
It’s important to remind your users that your company’s CEO will always use proper channels to contact them, such as reaching out to their direct superior. Once again, these attacks are always sent from bogus emails and rely on urgency and human nature to succeed.
7. The Ridiculous Message
While most of the scams we’ve mentioned here are often very clever and expertly crafted, some are completely opposite on purpose. Think of the infamous Nigerian Prince scam; they’re always claiming outlandish things and riddled with spelling and grammar mistakes.
They’re designed to weed out the people who wouldn’t fall for this type of scam. Often targeting older people who might be lonely and happy to respond to any text message they receive, these smishing attempts will often claim to be long-lost family members and ask for money to get out of a bind.
While you and your users may not be targets for this scam, your older relatives might fall prey to them. Always be on the lookout if they need to send money to an uncle you’ve never heard of or even if they mention a new friend.
Ignore And Move On
The best defense against smishing, ironically, is to ignore these messages. If something doesn’t feel right when you receive a text message, don’t engage with it. Remember that all government entities and financial institutions will contact you through official channels if there is genuinely an issue that warrants your attention.
Additionally, never give anyone information like passwords or 2FA codes, and enter them yourself even if you need help from tech support. Thankfully, these steps are relatively simple to observe and keep you and your users protected against smishing.
Cyber Security Hub : Access Exclusive Cyber Security Content
Sign up now to access engaging, shareable cyber security awareness content that’s available in multiple formats.