Smishing, or SMS phishing, is an attack that uses text messages to trick individuals into installing software, giving away money or divulging sensitive information, such as login credentials, bank account details or credit card numbers.
Smishing is similar to email phishing, but the attacker sends text or SMS messages to their victim instead of emails.
How Does Smishing Work?
Smishing involves the use of social engineering and psychological tactics by criminals to deceive a victim into believing that phony texts or SMS messages are legitimate. Criminals craft these messages to earn their victim’s trust or appeal to their emotions, manipulating them into taking certain actions.
Types of Smishing Attacks
Just as with email phishing, there are all kinds of smishing attacks. You can break down these attacks into two primary categories: the intended action of the attack and the style of messaging.
Please note that there are a plethora of ways an attacker can try to trick someone via smishing, and the lists below should not be considered exhaustive.
Intended Action of the Attack
The intended action of the attack can fall into three subcategories: revealing sensitive information, downloading malware and sending the attacker money.
1. Revealing Sensitive Information
In this style of attack, the attacker attempts to trick their target into revealing sensitive information, such as login credentials, bank account information, social security numbers, etc.
2. Downloading Malware
In this instance, the attacker tries to talk their target into downloading seemingly legitimate software that’s actually malware, usually in the form of a mobile application.
3. Sending the Attacker Money
This is when the attacker aims to manipulate their target into sending money to an account the criminal can access.
Style of Smishing Message
There’s a variety of ways a criminal can word an SMS message to take advantage of someone.
1. Fake Prize or Gift Messages
These are messages claiming you won a prize and need to perform an action, like clicking a link, in order to get it.
2. Financial Messages
This is when a criminal sends messages pretending to be from a financial institution, such as a bank or the IRS, in an attempt to deceive the target into giving up financial information.
3. Tech Support Messages
These are messages where the attacker pretends to be a tech support engineer to get their target to divulge login credentials or install malware disguised as security. This can also include messages claiming you’re going to be locked out of an account or have your subscription service canceled.
4. Invoice or Delivery Messages
Criminals send these messages to trick their target with fake information about a recent purchase, bill or delivery and often include a malicious link the attacker wants the target to click.
5. Fake Charity Messages
In this case, the attacker claims to be from a charity or participating in some form of donation drive and attempts to trick the target into sending money to a fake cause.
6. Government Agency Messages
This is when the attacker pretends to be from a government agency, such as the IRS or FBI, and threatens some form of punitive action against the victim unless they do what the attacker says.
Smishing Examples
2020 Tokyo Olympics Smishing
In 2020 there was a smishing campaign targeting fans of the Olympics that pretended to offer free or discounted tickets to the 2020 Tokyo Olympics if the users clicked on a link. This link would then either attempt to download malware or ask the user to input personal details, such as bank account information.
Annual IRS Dirty Dozen List
Every year, the IRS posts what it calls its Dirty Dozen list, a list of common scams the IRS has seen used against taxpayers.
Included in this list are smishing attacks where the attacker claims to be able to assist the victim in doing their taxes and/or getting them a big discount, as well as attempting to scare the victim by claiming they’re at risk of being audited.
These smishing attempts often involve either the victim divulging sensitive financial information or paying large sums of money.
How to Protect Against a Smishing Attack
The primary way to prevent falling for a smishing attack is to be cautious and avoid clicking links that either look suspicious or are from individuals you don’t know.
1. Verify the Sender
If you receive a message from a sender that claims to be an organization or friend/family member but looks suspicious, verify them. Most organizations include a help line you can call to gain confirmation of contact attempts.
Do not ask the sender to provide you this number. Instead, look on the organization’s website yourself. If the sender claims to be a friend or family member, message them via alternative means and ask for confirmation.
2. Don’t Click on Suspicious Links
If you receive a message that just consists of a link or the message contains a link that looks odd, do not click on it.
3. Guard Your Personal Information
Legitimate organizations and institutions will not request your sensitive or personal information via text message.
If you receive a message asking you to reply with details such as your credit card number or banking information, do not hand that information over. In addition, until you have verified the recipient’s identity, do not send personal information of any type.
4. Update Your Phone
Keep software, including your mobile operating system, up to date to help defend against the latest known threats.
5. Stay Educated
Keep informed about common smishing tactics and threats, and share this information with friends and family to help keep them safe as well.