Cybercriminals use a plethora of techniques to breach systems, steal data, launch malware campaigns, and cause damage. One of the most popular tools of the trade is smishing. But what is smishing, how do smishing attacks work, and how can you keep safe?
What is smishing? The definition and meaning
To understand the meaning of smishing, we must first look at the more common term “phishing.”
Phishing is when a cybercriminal pretends to be someone they’re not (usually a person in a position of authority) and attempts to deceive you into giving up personal data or clicking a malware-infected link.
They could claim to be anyone, such as your boss, a coworker, a family member, or a trusted website. Basically, anyone who you would be automatically inclined to trust. Taking advantage of that inclination to trust, the cybercriminal hopes you will let your judgment slip and provide them with the personal data they need from you.
Phishing is when these deceptive acts are done via email. But the word is modified slightly for other platforms. When the scam is done in the form of an SMS message, it’s called “smishing.”
So, the official definition of smishing is when a criminal sends someone a deceptive SMS message with the intention of stealing personal data or infecting your device with malware.
Smishing vs. phishing vs. vishing: Understanding the differences
There’s not just phishing and smishing. There are several variations of this type of attack to wrap your head around.
Smishing
As we said above, smishing is when you receive a deceptive message in an SMS message from a person claiming to be someone you trust. But not just traditional SMS — smishing also applies to chat apps like WhatsApp, Telegram, and Signal.
Using whatever persona they’ve decided to use, the smisher will attempt to get sensitive information from you, such as your date of birth, social security number, user login details, and more. Or they may ask you to click a link, which would then infect your device with malware.
Phishing
Phishing is the email version of smishing. This deceptive approach is made in an email with the same request for information or the same link they want you to click on to be infected by their malware.
Often, phishers try to impersonate banks and other financial institutions, telling you that your account will be at risk unless you sign in by following the link they provide and change your password. Many email programs are now skilled at spotting these fake emails and sending them straight to spam.
Vishing
When this type of scam is conducted using a voice call over the phone, it’s called vishing. One new vishing scam involves someone calling pretending to be from the police. They tell the victim that a criminal is coming to rob them, and they are going to send colleagues to take the victim’s valuables into safekeeping for them.
This new form of vishing is surprisingly effective. Vishing can also apply to video calls.
Examples of smishing attacks
The main goal of a smishing attack is to get you to click on a malicious link or download a malware file. However, attackers may also use more personal SMS communications or direct you to fake online forms for you to fill out.
Common types of SMS attacks include:
- Health-related smishing scams
- Financial services smishing attacks
- Customer support smishing
- Gift smishing scams
- Fake lotteries
- Family or friends with urgent requests
- Fake law enforcement scams
- IRS officer frauds
The following are some of the most infamous smishing cases to date.
- 2020 Olympics Smishing Campaign: Olympics fans were targeted via SMS during the 2020 Olympics in Tokyo, Japan. This campaign attempted to sell fake tickets to the event and stole financial and personal information from victims in the process.
- 2020 U.S. Mail Smishing Attacks: In this attack, cybercriminals posed as representatives of the United States Postal Service to steal sensitive information via SMS.
- 2022 Verizon Smishing Campaign: In 2022, Verizon users were targeted in a unique smishing campaign in which hackers managed to send SMS that appeared to come from users’ personal phones. The campaign’s goal was for users to click on malware that was attached as a link in a message.
How common is smishing?
Smishing is very common. In fact, smishing attacks increased by 300% in 2020 as people started using technology even more actively during COVID lockdowns, Proofpoint reports. Since then, attacks have continued to rise, with a staggering 74% of companies saying they experienced smishing by 2021.
The reasons why smishing is so popular among cybercriminals are simple. For one thing, SMS attacks are cheap. They can be automated and done in bulk, resulting in millions of SMS sent daily. Plus, smartphones have become the device of choice for people worldwide.
What makes smishing attacks so effective?
Smishing works because of one simple factor – psychology.
People are, by nature, trusting people, and willing to listen to someone in a position of authority. If the bank calls and says the person’s money is in danger, naturally that person will listen.
If someone from the police gets in touch and says their colleagues are coming to collect the valuables because dangerous criminals are on their way, it’s natural to be fearful and take what you think is decisive action.
If someone claiming to be from the bank says “click this link and the problem goes away”, then what would you do? You’d click the link, wouldn’t you? You would want the problem to stop and be solved.
This is what smishers prey on. They prey on people’s good intentions, and their willingness to believe. Some will not believe it, but the criminals merely cut their losses, and move on until they find someone willing to believe what they’re being told.
It’s a numbers game. Eventually they’ll get a success.
How do criminals spread smishing attacks through SMS?
So how do these criminals do it? How do they spread these smishing attacks?
The first step is to get the numbers. Millions upon millions of numbers. Grabbing phone numbers from websites is one possible way they do it, but that would be extremely time consuming.
Instead, they most likely use software to randomly generate millions of possible number combinations. Some will work as phone numbers, others won’t. As we said, it’s truly a numbers game (no pun intended.)
Once the messages are mass-sent out to these numbers, the scammers employ a variety of methods to fool their potential victims. One is to clone the phone number of the actual person or company they’re trying to impersonate. So when you look at your caller ID, it looks as if the message is really coming from the official person or place.
The next method is to set up realistic looking websites that look almost like the website from the real person or company. Therefore, when you click on the link inside the SMS, you’re redirected to the scammer’s website. If their site looks identical to the real version of the site, most victims will likely not notice.
These websites will most likely have malware which will instantly jump onto the victim’s computer or mobile device. Malware which is under the control of the scammer.
But ultimately, everything rests on the SMS message. If it is unbelievable, then the rest of the scam fails. It’s here that the criminals ironically make the least effort. The messages are usually badly formatted with multiple typos. But the messages are designed to generate fear in the recipient, so most likely many people won’t look too closely at the text of the message. They’ll just respond.
How to identify smishing scams
If you know what to look for, identifying a smishing scam can be remarkably easy. Here are a few common signs.
Typos, grammar mistakes, and bad formatting
You know something’s up when the text of an email looks like something a 5-year-old would write. For many smishers, English is not their first language. Therefore, the writing may come across as stilted and unnatural. There may also be a lot of typos and basic grammar errors. Plus, the formatting of the message is often a mess.
To cap it all, the URLs of the links in these emails are often a giveaway. If someone claiming to be from Bank of America, for example, sends you a link that looks like “xhckft.com/click,” it’s a major red flag.
They’re trying to make you panic
Considering that their messages aren’t likely to win the Nobel Prize for literature, the last thing these smishers want is for you to look closely at the actual text. They just want to scare you and hope that your survival instincts kick in.
Messages like “YOUR COMPUTER IS INFECTED!” and “YOUR BANK ACCOUNT IS ABOUT TO BE SHUT DOWN!” are designed to instill panic in potential victims. Their hope is to get people to set aside their rational good judgment and make a slip-up.
They’re asking for information nobody would ask for
Why would your bank ask for your bank account number? Why would your credit card company ask for your card’s expiration date? Why would the police ask for your date of birth and social security number?
When you get an SMS message asking for personal information, ask yourself, “If this is really the person they claim to be, would they need to ask me for this information?” If the answer is no, it’s probably a smishing scam.
There’s always a link
If you get an SMS from an unknown person, and that SMS has a link, never click on it. It could cause malware to be downloaded onto your device, or it could lead to a site that will steal your data.
Instead of clicking on unsolicited links, call the person or company the email claims to have been sent from. Talk to someone to verify whether the SMS is legitimate.
More answers about smishing attacks
Let’s delve into other aspects of smishing, including some common questions about this type of scam.
Replying to a message won’t get you hacked. If all you do is reply, the worst you’ve done is confirm your phone number is real, meaning you will likely get further smishing attempts in the future. The threat of hacking only gets real if you click on a link or provide personal information in a message. The best policy here is to never respond to a text message from an unknown person. Simply delete it.
Just opening a text message will not release any viruses or malware. Again, the danger lies in the link provided in the message. If you click the link, malware may infect your computer or mobile device.
SMS phishing attacks can indeed lead to identity theft, but the scale of the damage will depend on the information you give them. Providing details like your full name, date of birth, social security number, PIN number, and so on can lead to your identity being stolen.
If you reveal your phone number on the internet, it can be swiped and used for smishing attacks. However, collecting numbers from the internet takes time and effort, so in many cases, software is used to generate millions of possible phone numbers. Some will work, and some won’t. These numbers will then be mass-texted, with scammers hoping for a reasonable amount of the numbers to work.
Yes, smishing is classified as a form of cybercrime, mainly because of the actions that follow after it. If the scammer steals your information under false pretenses, it’s theft and/or fraud. If they steal your information over a computer or a mobile phone, it’s computer fraud. Identity theft speaks for itself, and if an attacker uses your identity to commit further crimes, it gives the police more latitude in terms of what charges may be filed.
What does a smishing text look like?
A smishing text’s main intention is to look like a normal SMS message. However, the number that sends the message may be unknown or blocked. It may also be an international number or, more commonly, just seem strange.
A smishing text will attempt to impress a sense of urgency. Malicious SMS texts do not tend to be very long. They will have a link at the end of the message or in the middle. Additionally, links may be concealed inside the text. Smishing texts can also have attachments you will be urged to open or attachments concealed in links.
What happens if you click on a smishing text?
If you are being targeted in a real smishing campaign, there are endless possibilities of what can happen if you click on the text. As mentioned above, links may be hidden inside the text, so even if there seems to be no apparent link in the message, clicking it can have serious consequences. In short, clicking on a malicious message is like lighting a match that will start a fire.
Clicking on smishing texts can lead to:
- Stolen data and credentials
- Financial data leaks
- Stolen contacts
- Malware including spyware, adware, browser hijackers, ransomware, and much more
- The spreading of the attack to other devices, a network, or an organization
Can a scammer get your info if you text back?
Your best bet in an SMS attack is not to engage in any way. Just report and block the number. Responding to a smishing attack will inform the criminal that your number is active. This means you will continue to get more fake SMS. In addition, by responding to a text, even asking the person not to keep sending you messages, you risk getting the real attacker on the line, and some of them can be very convincing when it comes to scams.
While it is highly unlikely that your data will be stolen or that malware will infect your smartphone just by responding to a text, experts do not recommend replying, as hackers constantly improve the technology they use.
For example, when using Zero Click Attacks, hackers do not have to convince you to click on a link, go to a site, fill out a form, or download a file. In these types of attacks, just receiving the SMS can breach your phone. One technique used to automatically download malware into your phone via SMS without you engaging with the text is sending you a gif, which, when it plays, runs a series of commands to infect your mobile device.
How to protect yourself from a smishing attack
Despite the global wave of attacks, there are still several things you can do to prevent smishing from happening to you or, when it does happen, to at least mitigate the damage.
1. Never respond: Report and block
If you receive a smishing message, no harm is done as long as you don’t respond to it. Just delete it and go about your day. The danger begins when you do respond, whether it’s by providing the information requested or by interacting with a link provided.
The golden rule is to never respond to suspicious SMS messages. Block them, delete them, and report them to the real company or person, or to the police. By not responding, you are not validating your phone number for potential future attacks. And blocking the number prevents that number from messaging you again.
2. Use two-factor authentication
You can use several technologies to keep your smartphone safe from SMS scams. One of them is two-factor authentication (2FA). While 2FA will not stop malicious SMS from reaching you, it will protect you if you fall for a scam by giving your email, bank, work, and other accounts an extra layer of security. Make sure you activate 2FA on all your accounts.
3. Download trusted antimalware
Just like 2FA, antimalware cannot prevent an attacker from sending out SMS, but it can do a lot for your security. If you do download malware or visit malicious sites, efficient antimalware software will flag the threat and might even block you before you take action. On the other hand, if malware finds its way into your smartphone, professional antimalware that runs scheduled scans or is in live monitoring mode will detect the malware automatically and remove it.
4. Check and verify the source
It’s always a good idea to check and verify the source of an SMS. Note that this doesn’t mean you should call the attacker’s number. Rather, if you receive a message that appears to be from your bank, contact the bank through official channels to check and verify that they sent you a message.
What to do if you fall victim to smishing
If you have already experienced a smishing attack, here are some tips to guide you through the process.
1. Remain calm
It’s essential that you remain calm if you fall for a smishing trick. Having a clear head will prevent you from taking actions that can lead to further damage, like deleting files or accounts or resetting your phone. Remember that it’s best to keep calm and push on through.
2. Change your passwords
You should change all your passwords, whether the attacker managed to get away with your credentials or not. And to further increase your security, after you change your passwords, activate 2FA. And, as mentioned above, make sure you report and block the number.
3. Contact the official organization
Suppose the attacker posed as your financial organization, employer, government agent, or other official organization. In that case, you should contact them and let them know that someone is impersonating them illegally. If you have given away credentials, you should also let the affected organization know. If the attacker managed to get your credit or debit card numbers, cancel the cards and get new ones.
4. Download and scan your phone with trustworthy antimalware
If you don’t have antimalware installed on your mobile device, now would be the best time to get one. Antimalware can help you find and remove any malware that an attack may have left on your smartphone. Always use trusted, professional, and high-rated security apps.
5. Check for suspicious activity
You should remain vigilant for a few weeks after the attack, looking for any suspicious or out-of-the-ordinary events. This includes monitoring your bank balance, financial activity, emails (sent and received), call logs, smartphone performance, etc.
Mobile cyber attacks like smishing will continue to multiply as smartphones play an increasingly significant role in our daily lives. Hackers will always find new ways to convince you to engage with them over SMS, so stay informed and take the best steps toward a safer digital life. And to find out more about various types of phishing attacks, check out our article on whaling, the phishing that targets high-ranking individuals.
