Smishing: the best tips to fight against SMS phishing

The term smishing consists of the words “SMS” and “phishing”. In a way similar to phishing, cyber criminals im­per­son­ate rep­res­ent­at­ives of a trust­worthy company or or­gan­isa­tion. Instead of emails, however, attackers use SMS (Short Message Service) when SMS phishing – in other words, text messages – in order to convince the victim to disclose account in­form­a­tion or to un­know­ingly install malware and trojans.

Even if the smishing defin­i­tion may make it sound like a small risk, it can be hard to identify a phishing SMS. Cyber criminals de­lib­er­ately play with a victim’s emotions in order to pressure them into making ir­ra­tion­al decisions. In our guide, we explain how smishers operate and show you what SMS phishing typically looks like, and how to verify the au­then­ti­city of text messages.

Smishers have developed different ways of operating in order to get their hands on smart­phone users’ data. The basic model, however, is usually the same: The scammer im­per­son­ates either a company rep­res­ent­at­ive or an ac­quaint­ance, and tells a story that aims to persuade the victim to disclose their personal data or download harmful software. This element is essential for suc­cess­ful smishing and is referred to as social en­gin­eer­ing. The attacker tries to establish a trusted re­la­tion­ship to ensnare the victim emo­tion­ally. The targeted person is supposed to get the feeling that now is the time to throw caution to the wind and follow the scammer’s in­struc­tions.

In the following sections, we introduce the most dis­tinct­ive com­pon­ents and content types of SMS phishing to show how fraud­u­lent text messages work and what one must pay attention to in order to verify the au­then­ti­city of a text message.

The classic example of SMS phishing is a short text message that is written in a way that suggests it could be written by a friend. The message is supposed to generate curiosity. It may ask a recipient to click on a link contained within the SMS. Once a person clicks on the link, they un­wit­tingly launch an automatic download in the back­ground of their operating system which will give the attacker access to their smart­phone. Pro­fes­sion­al smishers have mastered the art of hiding such downloads and users won’t notice them at all. As a result, their personal data will be handed over without them knowing.

Email phishing tactics direct people to a website that contain a form to be filled out. Smishing operates in a similar way: Criminals send a text with a link which in turn redirects the recipient to a form. When they enter their personal data, it will be sent directly to the scammer. This smishing technique is popular with criminals trying to attain user bank account or credit card in­form­a­tion. The SMS will typically point to a (fake) security problem that sup­posedly requires the recipient to enter their data im­me­di­ately to rectify the issue.

With spear smishing, the attack targets a specific in­di­vidu­al. For this purpose, attackers assess the victim’s profile on social media networks, for example, and on that basis design bespoke phishing text messages that contain personal data and, thus, are perfectly tailored to the victim. As with spear phishing which uses per­son­al­ised emails, this method allows the attacker to create a higher degree of cred­ib­il­ity.

SMS phishing is also used to redirect victims to an alleged company hotline. A text instructs the recipient to contact a customer support hotline via a specified number. As soon as the scammer is on the line, they will try to elicit in­form­a­tion from the caller. The advantage for the scammer here lies in their increased cred­ib­il­ity. Many people are jus­ti­fi­ably mis­trust­ful of having to enter personal data into an online form. The indirect route via a telephone hotline assures re­spect­ab­il­ity. With vishing aka voice phishing a similar way of operating exists through which criminals attempt to capture sensitive data via initiated voice-over-IP calls.

SMS phishing methods always focus on a pressing issue or event that requires immediate action or attention from the victim. That is why one should never react to a text message on impulse and instead thor­oughly inspect its contents. We have compiled the most important criteria to help dis­tin­guish a real SMS from a phishing SMS. The central question should always be: How trust­worthy is the sender and the content of the SMS?

Tip 1: Check the SMS for spelling and grammar mistakes. Cyber criminals often work in­ter­na­tion­ally and utilise trans­la­tion tools. This will become apparent in any text messages received.

Tip 2: Check the sender’s telephone number to be sure that it really belongs to the alleged company. Keep in mind, however, that a real phone number doesn’t auto­mat­ic­ally translate into a trust­worthy message. Smishers can utilise spoofing to make phone numbers appear real.

Tip 3: Ask yourself which occasions would warrant the use of SMS an ap­pro­pri­ate com­mu­nic­a­tion tool. If, for example, your bank account had been com­prom­ised, a financial in­sti­tu­tion would be highly unlikely to text you. Similarly, the prob­ab­il­ity of receiving a SMS no­ti­fic­a­tion for a contest won is close to zero.

Tip 4: Never share financial or payment in­form­a­tion using a web form received via SMS. Similarly, never click on links from unknown senders or those whom you do not trust. Remain mis­trust­ful of text messages that convey great urgency.

Tip 5: Install an anti-virus program on your smart­phone and perform regular updates. Though security software cannot guarantee that your smart­phone won’t become infected with harmful software, it does offer an added level of security that you should not go without.