What is smishing and how to prevent it

Smishing is a type of electronic fraud, similar to email phishing, where fraudsters send SMS messages to potential victims, pretending to be from legitimate companies, in an attempt to steal personal information or spread malware.

Much like a fisherman using realistic bait to attract a fish to their hook, the fraudster will capture people’s attention with a variety of tactics designed to engage them without arousing their suspicions.

Smishing is simply the SMS equivalent of phishing in that the ‘bait’ message is delivered by SMS rather than email.

This means that the receiving device will most likely be a mobile rather than a PC, so any malware included in the attack will be designed to infect a mobile device and spread via the phone’s contacts.

Smishing messages will also be delivered via the mobile network rather than the internet, so a different set of security solutions have to be put in place to combat attacks (more on this later).

Effective smishing attacks rely on a recipient taking an action that they would not otherwise have done. This could simply be clicking on a link in an SMS message, or submitting private information by return SMS or via a fake landing page.

Scammers have a number of ways of persuading people to take this action, including impersonating trusted brands or using multi-stage social engineering tactics that exploit harvested data or information provided in the initial approach to make the final attack more believable. This could be anything from a name and address to an account number.

There are broadly three types of smishing attacks ranging from borderline-legal guerrilla marketing tactics, all the way through to sophisticated multi-stage criminal attacks that can have significant financial impact on victims.

In the grey area of the law a business may contact a person pretending to be, or simply suggesting that they are a well-known brand that the person already knows and trusts. The victim in this case is deceived into viewing a product or offer that they would not otherwise have paid any attention to.

Is this a crime? Certainly, it is illegal to directly impersonate a trademarked brand, but unscrupulous companies bend the law by using similar branding and messaging to established businesses.

This type of attack is malicious but has limited sophistication. Again, recipients are fooled into believing that the message is from a legitimate source, but this time the link they are encouraged to click on will download malware onto the device that could infect it and potentially distribute itself automatically via the phone’s contact list.

A recent example of this was the Flubot which targeted android devices and was designed to steal online banking details and other private data. It took an international initiative involving the police forces of eleven countries to put a stop to it.

All modern smart phones whether Android or iOS will have security features that stop the silent downloading of malware, but these features are far less effective when users voluntarily download something or provide their personal data to a third party through deceit.

The most brazen, sophisticated, and costly form of smishing is where fraudsters mimic messages from legitimate businesses to their customers, encouraging them to visit a fake landing page where they are instructed to enter personal information and login credentials. These details are then stolen and used by criminals to access the real accounts.

These landing pages use one-off or very short-lived URLs which make them almost impossible to trace.

Again, the most successful smishing attacks will include coordinated social engineering tactics that make use of known data to make them more believable. Harvested information will often be stored and used in a later attack. After sufficient time has passed the victim will not put two and two together and realize that they are getting scammed.

Victims of smishing attacks may rightly ask how their number fell into criminal hands. Unfortunately, there are all sorts of ways this can happen as we provide our mobile number to all types of organizations every day of our lives.

Now that you know what it is, what does a smishing text look like? There are many flavors of message but the one thing they have in common is a strong prompt for the recipient to take an action. Usually they are offering you something attractive, or alerting you to something bad that could cost you financially, or cause embarrassment if you don’t act soon. The sense of urgency encourages victims to act quickly without giving it much thought.

Here are six well known examples – though the list is by no-means exhaustive. Scammers are very good at adapting and unscrupulously using current events like the war in Ukraine or a crypto crash to add legitimacy to their scams.

Starting on the less sophisticated (and less plausible) end of the spectrum, we have all had messages that promise an unexpected boost to our bank balances. Ranging from lottery wins to inheritances from unknown relatives or even Nigerian royalty. It seems that the carrot of a big pay day is enough to make some people drop their guard and click on a link or provide personal information.

This approach has grown in prominence over the past two years as so many more people are shopping online, and retailers have rushed to roll out new SMS notification use cases. Fraudsters have been quick to exploit this opportunity and create very realistic messages from retailers and delivery companies that flag ‘an issue with your delivery’. They may ask the recipient to pay additional delivery charges or enter their login credentials to get more information about the problem.

Ironically, one of the most successful smishing tactics is for fraudsters to mimic a message from a bank flagging unusual activity on the customer’s account. These messages are easy to copy as they follow a consistent format and as there are a limited number of retail banks, there is a high probability that recipients will recognize their own bank as the sender.

The message will likely encourage the person to change their password to prevent any further fraudulent activity. Clicking on a link in the message takes the user to a fake login page where they are asked for their login credentials to change their password.

With these details the criminals have a window of opportunity to login themselves and transfer money from the account before the victim notices. Many banks are becoming wise to this tactic and incorporating 2FA checks when an account is accessed from a new device, or the requested amount goes above a certain threshold.

This approach uses some very basic social engineering tactics to exponentially improve the effectiveness of the smishing attack. If a message includes the name and details of a person we know and trust, then we are far more likely to believe that it is legitimate.

All the scammers have to do is to scrape victims’ social media accounts to work out who their close friends or business acquaintances are, and then use this information. Perhaps by offering them a job, an unmissable business opportunity, or an invitation to an event that would be right up their street.

People seem to lose their sense of perspective when faced with the possibility that there is an unflattering picture of them on the internet. A very successful tactic has been SMS messages that claim to be from a social-media Samaritan alerting the person about something they wouldn’t like :

“You won’t believe the photo that Muhammad tagged you in on Facebook! Check this out….”

This callous tactic preys on the good intentions of people. When there is a prominent event in the news like a natural disaster, a war, or a refugee crisis, the scammers will use this as a way of persuading people to donate money or provide personal information that can then be used fraudulently.

As the sophistication of smishing attacks grows and it becomes even more difficult for mobile subscribers to recognize them, it becomes the responsibility of telecom operators to block them before they reach their customers. It is in their own interest to take a proactive approach. Successful attacks will erode confidence in A2P messaging, causing customers and the brands they buy from to move away from SMS and therefore reduce revenue opportunities.

Luckily mobile operators have an ally in the fight. By partnering with the right vendor they can access both the SMS firewall technology and expertise to help secure their mobile eco-systems. We already work with over 120 telecoms around the globe and help to protect over 1.1 billion mobile users with a rich set of tools that include:

Just as important as the features they provide, our SMS firewalls are backed up by a global team of intelligence and security experts. In such a constantly evolving space, it is these people’s job to detect new types of threat and ensure that we can help to protect against it.

Join the growing list of telecom providers that are providing the best possible security for their subscribers.