Smishing – Text Messaging Gone Rogue

A Familiar Scenario 

A customer service representative at a community bank answers an incoming call. The caller claims they received a text message about their account from the bank, but states they aren’t a customer of the bank. The caller is confused and demands to know how the bank got their number and why the bank is sending unsolicited texts to their personal cell phone.

In reality, the bank didn’t send a text message to the caller. Criminals can obtain active cell phone lists for a particular area, then pose as a local business to indiscriminately send thousands of messages to every number on the list. The plan is to cast a wide net, hoping to snare as many victims as possible. The recipients and the impersonated organization are unfortunate victims of a growing criminal threat known as smishing (SMS phishing).

What is Smishing?

Smishing is a social engineering attack in which malicious text messages are sent to unsuspecting victims. The messages impersonate legitimate sources and entice targets to divulge personal information or unknowingly install malicious software on mobile devices.

Over 300 million smartphone users across the US send roughly 2 TRILLION text messages each year. However, smishing is still a relatively new attack method in comparison to phishing. With a lack of awareness and the sheer number of targets, it’s no surprise attackers are turning to smishing.

How Does Smishing Work?

Smishing is very similar to phishing, but targets cell phone numbers rather than email addresses. The messages are harmless unless acted upon. Smishing messages ask users to take additional action. By impersonating trusted senders, the requests may seem very normal and non-threatening. But beware of messages requesting these types of actions, as doing so might have devastating consequences: 

• Calling a Phone Number – The attacker provides a number for the victim to call, attempting to obtain more information from the victim. 
• Clicking a Link – The link directs the victim to a malicious website which may be used to steal login information or install malicious software on the victim’s device. Malware can spy on the victim, allowing the attacker to compromise additional accounts or information. 
• Resetting a Password – The attacker tricks the victim into setting a temporary password on an account, granting access to the attacker and locking out the victim. 
• Accepting an MFA Notification or Providing a Digital Code – The attacker may already have valid credentials but needs to bypass MFA controls. By performing these actions, the victim unknowingly grants access to the attacker. 
• Verifying Sensitive Information – The last 4 digits of SSN, security code on the back of credit cards, date of birth, email addresses, account numbers, etc. The attacker may already possess much of the victim’s information but may need additional details to fully compromise a target.
  
  

Smishing Content

Malicious actors can be creative when it comes to crafting a believable message. Though all messages should be scrutinized before taking action, certain topics have become popular for smishing. Users should take extra caution when reviewing these types of messages: 

• Messages about finances (banking, investments, retirement, etc.).
• Messages about package deliveries (Amazon, UPS, FedEx, etc.).
• Messages from tech companies (Apple, Google, Microsoft, etc.).
• Messages from public authorities or government agencies (IRS, FBI, Law Enforcement, etc.).
• Messages about newsworthy topics (Emergencies, Natural Disaster Aid, etc.). 
  
  

Red Flags

Texting has become so prevalent in our society that it’s commonplace to receive texts from retailers, banks, healthcare providers, schools, etc. Here are some additional tips to help users tell the difference between malicious smishing messages and harmless appointment reminders. 

• The sending phone number is unknown to the recipient. 
• The sending phone number is an email address. 
• The message implies a sense of urgency. 
• The message was unexpected. 
• The message contains poor spelling or grammar. 
• The message contains shortened URLs. 

Take a Stand

While there’s no solution to eliminate smishing, users can take the following precautions to safeguard themselves from threats: 

• Verify the message sender – Do not call a number provided in the message or the number displayed as the sender. Look up the individual or organization the message claims to be from, then contact them directly to confirm the message’s authenticity.
• Enable Spam Protection – Some phone manufacturers and carriers offer products or services to filter suspicious messages. Apps can also assist with preventing unwanted texts.
• Do not respond “STOP” – This may result in increased attacks.
• Report the message – Forward suspicious messages to SPAM (7726).
• Spread the word!

Stay Vigilant

Social engineering is an ever-present threat in the security landscape. Criminals are increasing efforts to target mobile devices via malicious smishing text messages.

Common message content, attack methods, and deceptive tactics can be helpful in identifying suspicious messages before any harm is done. User awareness is a key strategy to reduce the risk associated with smishing.