Smishing and SMS Attacks Explained, and How to Prevent Them
Today, nearly everyone has a smartphone, and nearly everyone also uses text messages as well. And in today’s modern times, texting has transformed into something more than just instant messaging. Businesses across the globe, for instance, use text messaging as a way to communicate with their customers, whether to provide order status and updates, marketing purposes such as new products and promotions, or even as a way to utilize two-factor authentication for logging in.
Text messaging has proved to be quite useful and heavily integrated into our daily lives. But did you know that cyber criminals can take advantage of your text messages to carry out malicious activities?
A new form of cyber attack is on the rise, and it all starts with a simple text. It’s called “Smishing.”
Smishing, AKA cyber attacks through text messaging, is one of the most heinous forms of cyber security breach today, and unfortunately, not enough people are talking about it. In fact, according to a recent study conducted by Proofpoint, less than 35% of the population is aware of smishing and what it truly is. Luckily for you, we are part of that 35 percent, and we’re helping to get the word out!
Smishing, which sounds a lot like email phishing, works in a very similar way to its e-counterpart. With smishing, an attacker poses as a credible company through text message as a way to obtain your personal information.
You’ve probably seen something like this before.
- “Hey, it’s your company’s bank, with some important news about your account. Please respond with your PIN number for more information.
- “Hi, it’s Amazon, with a question about your recent order. Click the link to login to your account.”
- “Hello, this is Mike from the Your Vehicle’s extended warranty department…”
With these texts, there is usually a link attached to the message or a request for personal information. And, these attackers receive any information you choose to share back.
What Does Smishing Look Like?
Smishing comes in many forms, but they almost always look like a legitimate notification from a trusted provider. They’ll use the same language and formatting as an actual text, and even identify themselves as coming from the company. Links, meanwhile, tend to be shortened so that the recipient cannot verify the legitimacy of the link before clicking.
These are all clever, malicious tactics cyber attackers are using, and it’s important you are aware!
Below is a real example that one of our clients actually received.
Some smishing scams, like the one above, create a sense of urgency to pull information from you, and because they actually represent themselves as coming from a brand or situation you might actually be involved in, your brain is more likely to click or engage.
These types of text might look like:
- “Your bill is overdue, please pay it here.”
- “There has been suspicious activity on your account. Please verify your information to recover your account.”
- “The IRS is missing information, please verify immediately!”
Other SMS cyber traps, meanwhile, tend to act as if they’re providing free products, services or discounts. Some examples of this include:
- “You’ve won a free iPhone 13! Click here to redeem your gift.”
- “You may be eligible to receive an additional refund from the government.”
- “Someone has sent you a gift; accept the gift by visiting [provided link].”
6 Red Flags to Catch Scam Text Messages.
Unlike emails, it is much harder to verify the legitimacy of a text message, as there is very little context, formatting, or any other indication to verify the text message. However, there are several red flags that you should look out for whenever you receive an unprecedented text message you are unsure of.
- Avoid texts that ask you to verify personal information. No trusted provider will ever ask you for your username and password.
- Be cautious of texts with shortened links. In several smishing text messages, you may see a shortened link, such as ones provided by Bit.ly, or one with random numbers and letters. If a sender requests you to complete an action with a short or unusual-looking link, they are likely masking the link to prevent you from discerning that it will take you to a malicious website.
- Treat typos and strange message formatting with skepticism. For the most part, official companies will not send out text messages with typos. They are also highly unlikely to also send texts with words that are bolded or italicized. Scrambled letters and formatting with errors are an almost immediate indication of scamming.
- Use caution with text messages from odd-looking phone numbers: Sometimes, attackers will state that they are sending an automated text. However, in most cases, the number these messages are coming from are 5 or 6 digit numbers. If you’re ever unsure about a phone number, you can look the number up on Google to see if it is legitimate. If the text comes from a number that cannot be verified, it is likely a scam.
- Skip phone numbers that don’t match the company number: When you verify phone numbers online, you can also see if the number texting you looks anything like the If the phone number found on the company’s website. If they look drastically different, chances are there is someone else behind the text message that should not be trusted. You can also call the official company number to verify legitimacy, and/or let them know an attacker is posing as them.
- Keep away from messages that are out of context: When a legitimate company sends you a message, you should know right away who it’s from and what it’s about. Likewise, if you are left confused after reading the text and are questioning your involvement with it, chances are it’s an attacker.
Take the Right Steps After Receiving a Malicious Text Message.
If you aren’t confident that a text message is real, be sure to block the number from which the text came from, and delete the message to prevent any accidental clicks of the fraudulent link.
As a precautionary step, report the phone number and scam message to 7726, which is a way to forward spam messages to various phone carriers, including AT&T, Sprint, T-Mobile, and Verizon. Cyber security teams at these organizations are working hard every day to track down attacker phone numbers and prevent them from sending anymore smishing attacks.
I Missed the Red Flags and Clicked the Link. What Should I Do?
First, do not panic, everyone makes mistakes.
In the event you clicked on a smishing link, or if you provided any personal information to an attacker, be sure to report it immediately.
- Forward the message to 7726 as previously discussed, and contact all institutions related to the information you just shared.
- Change all passwords and PINs, regardless if they are connected to the information or not.
- If you provided any financial information, keep an eye out for any suspicious activity on your bank accounts, and report anything that stands out to the appropriate institution immediately.
- If this happened on a company device, be sure to follow company procedures on handling a data breach.
Additional Steps to Take in the Event of Smishing.
If you are ever unsure of a text message, or if you have landed yourself in a predicament by clicking the wrong SMS link, you should also have a trusted cyber security partner available to answer questions and help protect your information.
Need an answer about a question today? Contact RedPanda Systems! Our team will guide you through the best course of action for the future, or help you take the right steps to solve a problem today