Smishing — short for “SMS phishing” — is a type of phishing attack delivered via text message. These messages aim to trick recipients into installing malicious software, sending money or revealing sensitive information such as login credentials or financial details.
While similar to email phishing, smishing occurs over SMS or messaging apps like WhatsApp, iMessage and Facebook Messenger.
What Is Smishing and How Does It Work?
Smishing is a type of phishing attack in which scammers send fraudulent text messages (SMS) to trick individuals into revealing sensitive information, downloading malware or sending money, often by impersonating trusted institutions like banks or government agencies.
Types of Smishing Attacks
Like email phishing, smishing attacks come in many forms. They can be grouped into two main categories: the attacker’s intended outcome and the message’s style.
These are common smishing strategies, but the examples below are not exhaustive.
Intended Action of the Smishing Attack
The intended action of the attack can fall into three subcategories: revealing sensitive information, downloading malware and sending the attacker money.
1. Revealing Sensitive Information
In this style of attack, the attacker attempts to trick their target into revealing sensitive information, such as login credentials, bank account information, social security numbers, etc.
2. Downloading Malware
In this instance, the attacker tries to talk their target into downloading seemingly legitimate software that’s actually malware, usually in the form of a mobile application.
3. Sending the Attacker Money
This is when the attacker aims to manipulate their target into sending money to an account the criminal can access.
Style of Smishing Message
There’s a variety of ways a criminal can word an SMS message to take advantage of someone.
1. Fake Prize or Gift Messages
These are messages claiming you won a prize and need to perform an action, like clicking a link, in order to get it.
2. Financial Messages
This is when a criminal sends messages pretending to be from a financial institution, such as a bank or the IRS, in an attempt to deceive the target into giving up financial information.
3. Tech Support Messages
These are messages where the attacker pretends to be a tech support engineer to get their target to divulge login credentials or install malware disguised as security. This can also include messages claiming you’re going to be locked out of an account or have your subscription service canceled.
4. Invoice or Delivery Messages
Criminals send fake messages about recent purchases, bills or deliveries, often including a malicious link meant to steal personal information or install malware.
5. Fake Charity Messages
In this case, the attacker claims to be from a charity or participating in some form of donation drive and attempts to trick the target into sending money to a fake cause.
6. Government Agency Messages
This is when the attacker pretends to be from a government agency, such as the IRS or FBI, and threatens some form of punitive action against the victim unless they do what the attacker says.
Smishing Examples
2020 Tokyo Olympics Smishing
In 2020 there was a smishing campaign targeting fans of the Olympics that pretended to offer free or discounted tickets to the 2020 Tokyo Olympics if the users clicked on a link. This link would then either attempt to download malware or ask the user to input personal details, such as bank account information.
Annual IRS Dirty Dozen List
Every year, the IRS posts what it calls its Dirty Dozen list, a list of common scams the IRS has seen used against taxpayers.
The list includes smishing scams in which attackers pose as tax professionals offering filing assistance or claiming to help victims receive large refunds, as well as attempting to scare the victim by claiming they’re at risk of being audited.
These smishing attempts often involve either the victim divulging sensitive financial information or paying large sums of money.
How to Protect Against a Smishing Attack
The primary way to prevent falling for a smishing attack is to be cautious and avoid clicking links that either look suspicious or are from individuals you don’t know.
1. Verify the Sender
If you receive a message from a sender that claims to be an organization or friend/family member but looks suspicious, verify them. Most organizations include a help line you can call to gain confirmation of contact attempts.
Do not ask the sender to provide you this number. Instead, look on the organization’s website yourself. If the sender claims to be a friend or family member, message them via alternative means and ask for confirmation.
2. Don’t Click on Suspicious Links
Attackers may disguise malicious links using URL shorteners or spoofed domains that closely resemble legitimate websites.
If you receive a message that just consists of a link or the message contains a link that looks odd, do not click on it.
3. Guard Your Personal Information
Legitimate organizations and institutions will not request your sensitive or personal information via text message.
Never share sensitive details such as your Social Security number, account credentials or security codes in response to a text, even if it appears to come from a trusted source.”
If you receive a message asking you to reply with details such as your credit card number or banking information, do not hand that information over. In addition, until you have verified the recipient’s identity, do not send personal information of any type.
4. Update Your Mobile Phone
Keep software, including your mobile operating system, up to date to help defend against the latest known threats.
5. Stay Educated
Keep informed about common smishing tactics and threats, and share this information with friends and family to help keep them safe as well.
Frequently Asked Questions
What is smishing?
Smishing (short for SMS phishing) is a type of phishing attack that uses text messages to trick individuals into sharing sensitive information, sending money or downloading malicious software.
What types of smishing attacks are most common?
Smishing attacks typically aim to steal sensitive information, install malware or get the victim to send money. These attacks may appear as:
- Fake prize offers
- Financial alerts
- Tech support messages
- Package or product delivery notices
- Charity requests
- Messages from fake government agencies
Can smishing attacks happen on apps like WhatsApp or iMessage?
Yes. While smishing traditionally involves SMS, similar tactics can also be used on platforms like WhatsApp, iMessage and Facebook Messenger.