Smishing is a form of phishing that uses mobile phones as the attack platform. The criminal executes the attack with an intent to gather personal information, including social insurance and/or credit card numbers. Smishing is implemented through text messages or SMS, giving the attack the name “SMiShing.”
Smishing attacks use short message service or SMS, more commonly known as text messages. This form of attack has become increasingly popular due to the fact that people are more likely to trust a message that comes in through a messaging app on their phone than from a message delivered via email.
Although many victims don’t equate phishing scams with personal text messages, the truth is that it is easier for threat actors to find your phone number than your email. There is a finite number of options with phone numbers – in the U.S, a phone number is 10 digits.
Compare this to an email address, which is not limited by size, although there is a reasonable number of expected characters. Emails can include numbers, letters, and symbols – !, #, and %, for example. It is much easier to string together ten random digits to reach a victim than it is to connect to a person via an email address.
The hacker can simply send messages to any combination of digits that is the same length as a phone number. They can try any and all combinations of digits with no harm, no foul. Gartner reports that users read 98% of text messages and respond to 45%. This makes text very logical for hackers to use as an attack vector, especially when, as reported by Gartner, only 6% of emails receive responses.
With a text message, the hackers might try to accomplish many different things. This includes stealing personal details from you by posing as a representative from your bank. They could try to get you to click on a link in the text message to connect to your bank’s webpage and verify a recent suspicious charge. They may ask you to call their customer service number, conveniently included within the text message, to talk to them about a recent suspicious charge or a compromised account.
Hackers also attempt to use sympathetic measures to gather sensitive information. An example includes messages regarding hurricane relief where the threat actor asks you for a charitable donation. The hacker asks you to click the included link and enter your credit card information, address, and often, your social insurance number. Once the hacker obtains your credit card number, the criminal can even charge your credit card on a monthly basis to avoid alarming you.
Another example of a smishing attack is an offer from your provider proposing a discount on a service or phone upgrade. The message urges you to click the provided link to activate the deal. Once on the spoofed webpage that looks like your provider’s website, the site asks you to confirm your credit card number, address, and possibly social insurance number. Remember, if it sounds too good to be true, it probably is.
Phishing using instant messenger freeware like Facebook Messenger or WhatsApp does not technically fall under smishing, but it is closely related. The hacker exploits the growing comfort level users have with opening messages from and responding to strangers through social media platforms.
Like a true phishing scheme, the goal of the attack is for you to provide personal data, including passwords and/or credit card numbers, to the threat actor. To obtain such information, the attacker may offer you a deal or something of value. A clickable link is often included with such offers.
While a message from a stranger looking for information is often a good indicator of a possible instant messaging phishing scheme, these attacks can appear to come from people you know and are already connected to. This often happens when a social media contact‘s account has been hacked into or spoofed.
Hackers will send text messages that appear to be from your bank, warning you about suspicious activity or asking you to verify account details. If the victim clicks the link in the alert, they will be brought to a fraudulent website which is designed to steal their login credentials, passwords and financial information.
In these scams, cybercriminals pretend to be government agencies, such as the IRS or local law enforcement. They may claim that the recipient owes fines or taxes, prompting them to click a link or provide personal details to avoid penalties.
Attackers often impersonate shipping companies like FedEx or UPS, informing victims of issues with a package delivery. Victims are asked to pay a fee or provide login details to resolve the problem, which leads to the theft of personal or payment information.
In this type of smishing, scammers pose as customer service agents from well-known companies like Amazon or Microsoft. They claim there is an issue with the victim's account or offer fake rewards, directing victims to phishing websites to steal personal or financial details.
Hackers will pretend to have mistakenly sent you a text that was meant for someone else. Once you respond, they engage in conversation, slowly building trust before attempting to trick you into sharing personal information or sending money.