Introduction

Have you ever received a text message from an unknown number, claiming that you have won a prize, that your bank account has been compromised, or that you need to confirm your delivery details? If so, you may have been a target of smishing.

Smishing is a type of phishing attack that uses text messages (SMS) to trick users into revealing their personal information, such as passwords, credit card numbers, or bank account details. SMS Phishing is a serious threat that can lead to identity theft, financial loss, or malware infection.

In this article, we will explain what smishing is, how it works, why it is so dangerous, how common it is, and what types of SMS Phishing attacks are out there. We will also give you some tips on how to protect yourself from smishing attacks and how to report them if you encounter them.

What is Smishing?

Smishing is a portmanteau of SMS and phishing. Phishing is a cybercrime that involves sending fraudulent emails or messages to users, pretending to be from a trusted source, and asking them to provide personal information or click on malicious links.

Smishing is a form of phishing that uses text messages instead of emails. Smishing attackers will often use spoofing techniques to make their text messages appear to be from legitimate companies or organizations, such as banks, delivery services, government agencies, or lottery companies.

The goal of SMS Phishing is to deceive users into thinking that they are interacting with the real source, and then trick them into entering their personal information, such as passwords or credit card numbers. Attackers can then use this information to access the user’s accounts, steal their money, or commit identity theft.

How does Smishing work?

Smishing attacks typically work in one of two ways:

• Malicious links: SMS Phishing attackers will send text messages that contain a link to a fake website. The fake website will look identical to the real website of the legitimate source. When users click on the link, they will be taken to the fake website, where they will be asked to enter their personal information.
• Malicious attachments: Smishing attackers will send text messages that contain an attachment, such as an image or a document. The attachment will contain malware, such as spyware or ransomware. When users open the attachment, they will infect their device with the malware.

Why is Smishing so dangerous?

Smishing attacks are so dangerous because they can be hard to detect. Text messages are often considered more trustworthy than emails, and users may not pay attention to the sender’s number or the content of the message. Users may also be more likely to respond quickly to text messages than emails, especially if they are urgent or enticing.

SMS Phishing attacks can have serious consequences for users, such as:

• Losing money: If users enter their credit card numbers or bank account details on a fake website, attackers can use them to make unauthorized transactions or withdraw money from their accounts.
• Losing access: If users enter their passwords or log-in credentials on a fake website, attackers can use them to access their accounts and lock them out.
• Losing identity: If users enter their personal information on a fake website, attackers can use it to impersonate them and commit identity theft.
• Losing data: If users open an attachment that contains malware, attackers can use it to access their device and steal their data or encrypt it and demand a ransom.
• Losing reputation: If users respond to a smishing message that claims to be from a colleague or a boss, attackers can use it to damage their professional relationship or reputation.

How common is smishing?

Smishing is a very common and growing threat. According to a report by Proofpoint, a cybersecurity company, smishing attacks increased by 328% in 2020 compared to 2019. The report also found that 84% of organizations experienced at least one successful smishing attack in 2020.

The rise of smishing can be attributed to several factors, such as:

• The popularity of mobile devices: More and more people use mobile devices for online activities, such as shopping, banking, or social media. This makes them more vulnerable to smishing attacks.
• The low cost and high return of smishing: SMS Phishing attackers can send thousands of text messages at a low cost and reach a large number of potential victims. Even if only a small percentage of users fall for the scam, the attackers can still make a lot of money.
• The lack of awareness and protection: Many users are not aware of the risks and signs of smishing attacks. They may not have adequate security software or settings on their devices. They may also not know how to report SMS Phishing attacks or where to get help if they become victims.

Examples of smishing attacks

There are many examples of smishing attacks that have been reported in the past few years. Some of the most notable ones are:

• The Netflix smishing scam: In 2019, smishing attackers sent text messages to Netflix users, claiming that their account was suspended due to a payment issue. The text messages contained a link to a fake Netflix website, where users were asked to enter their credit card details and personal information.
• The COVID-19 smishing scam: In 2020, SMS Phishing attackers took advantage of the COVID-19 pandemic and sent text messages to users, claiming that they had been exposed to the virus or that they were eligible for a vaccine. The text messages contained a link to a fake website, where users were asked to enter their personal information and pay a fee.
• The Amazon SMS Phishing scam: In 2021, smishing attackers sent text messages to Amazon users, claiming that they had won a prize or that they had a delivery issue. The text messages contained a link to a fake Amazon website, where users were asked to enter their personal information and credit card details.

Types of smishing attacks

Many types of smishing attacks can target different users and scenarios. Some of the most common ones are:

• Delivery notifications: Smishing attackers will send text messages that claim to be from a delivery service, such as FedEx, UPS, or DHL. The text messages will say that the user has a package waiting for them or that there is a problem with their delivery. The text messages will contain a link to a fake website, where the user will be asked to enter their personal information and pay a fee.
• Bank/credit card alerts: Smishing attackers will send text messages that claim to be from a bank or a credit card company, such as Chase, Bank of America, or Visa. The text messages will say that the user’s account has been compromised or that there is suspicious activity on their card. The text messages will contain a link to a fake website, where the user will be asked to enter their account details and password.
• Raffle wins: The SMS Phishing attackers will send text messages that claim to be from a lottery or a sweepstakes company, such as Powerball, Mega Millions, or Publishers Clearing House. The text messages will say that the user has won a prize or that they have been selected for a draw. The text messages will contain a link to a fake website, where the user will be asked to enter their personal information and pay a fee.
• Password resets: Smishing attackers will send text messages that claim to be from an online service or platform, such as Google, Facebook, or Netflix. The text messages will say that the user’s password has been reset or that they need to verify their account. The text messages will contain a link to a fake website, where the user will be asked to enter their email address and password.
• Tax season scams: Smishing attackers will send text messages that claim to be from the IRS or other tax authorities. The text messages will say that the user has made an error on their tax return or that they are eligible for a refund. The text messages will contain a link to a fake website, where the user will be asked to enter their social security number and bank account details.
• CEO fraud: Smishing attackers will send text messages that claim to be from the user’s boss or colleague. The text messages will say that the user needs to make an urgent payment or transfer money to an account. The text messages will contain a link to a fake website, where the user will be asked to enter their bank account details and password.
• Ridiculous messages: SMS Phishing attackers will send text messages that are absurd or nonsensical, such as “Your pizza is ready” or “You have been chosen by aliens”. The text messages will contain a link to a fake website, where the user will be asked to enter their personal information and credit card details.

How to protect yourself from Smishing Attacks

There are some things you can do to protect yourself from SMS Phishing attacks:

• Be wary of unsolicited text messages: If you receive a text message from an unknown number or from a source you don’t trust, be cautious. Do not reply to the message or call the number back. Delete the message and block the number if possible.
• Do not click on links in text messages: If you receive a text message that contains a link, do not click on it. The link may take you to a fake website or download malware on your device. Instead, type the URL of the legitimate source directly into your web browser or use an official app.
• Verify the sender’s identity: If you receive a text message that claims to be from a legitimate source, such as your bank or your boss, do not trust it blindly. Verify the sender’s identity by contacting them through another channel, such as calling them on their official number or emailing them on their official address.