Smishing
What is Smishing?
Smishing is a form of cyber attack that involves sending fraudulent text messages to manipulate the recipient into revealing personal information or taking actions that help the attacker steal secured data or financial resources.
The term “smishing” is a combination of “SMS”, an abbreviation for the Short Message Service used by mobile devices, and “phishing”, the use of deceptive messages to defraud the recipient.
Smishing attacks against individuals and enterprises are on the rise. Compared to traditional email-based phishing attacks, malicious text messages are less likely to be blocked by spam filters and more likely to elicit engagement from unsuspecting targets.
How Do Smishing Attacks Work?
- Purchasing Smishing Tools - Cyber criminals use smishing software tools, also known as Robotext software, to deliver SMS text messages at scale. These tools automate the process of sending SMS text messages to thousands of recipients, and may include features like template-based message customization and phone number spoofing. Some cyber criminals program their own tools, but Robotext software can also be purchased or rented on dark web hacker forums.
- Acquiring Leads - In the context of a smishing attack, a lead refers to any valid mobile phone number that can receive text messages, along with any additional information attached to that phone number. Cyber criminals can acquire leads by scraping phone numbers from the Internet, or by purchasing lead lists on the dark web.
- Crafting an Effective Lure - The next step is for the cyber criminal to craft a convincing message that will deceive the recipient into revealing their personal data or taking some other harmful action. An effective lure combines social engineering techniques like baiting and pretexting with an urgent call-to-action, aiming to funnel the maximum number of recipients into the next stage of the scam.
- Developing Attack Infrastructure - Smishing messages often include a malicious link to a fraudulent web page, mobile app, or malware download that infects the target’s device or tries to manipulate them into disclosing sensitive data. The attacker must develop this infrastructure before it can be used in a smishing scam.
- Deploying the Attack - Once the fraudulent infrastructure (e.g., fake web domain/login page, fraudulent mobile app, malicious file download, etc.) is hosted online and prepared to receive traffic, cyber criminals will begin using Robotext software to transmit the lure message (containing a malicious link to the attacker’s fraudulent infrastructure) to their leads.
- Stealing Data and Assets - Once the attack has been deployed, cyber criminals simply wait for recipients to click on the malicious link in the text message. The consequences of a successful attack vary depending on the nature and intentions of the criminals behind it. Sometimes, digital adversaries will use a spoofed financial login page to try and steal banking credentials. Other times, they might direct targets to download a malicious file that allows the attacker to spy on their device.
5 Types of Smishing Attacks You Should Know
Digital adversaries have crafted a variety of different messages to deceive their targets. Here are five formats you should be aware of:
- Fake Order Confirmation Messages - The target receives a message asking them to confirm a recent order (usually an expensive one) placed on an eCommerce website. This message is generally used as a pretext to deceive the target into revealing their personal information and/or credit card number to the attacker.
- Financial/Banking Alerts - The target receives an alert message, apparently from their bank, regarding a suspicious transaction or suspected fraud. The target may be asked to act quickly to prevent a fraudulent fund transfer from proceeding. In fact, the alert is fake and the link will bring the target to a fake login page where the attacker will steal their bank login credentials.
- Credit/Financing Offers - The target receives a message offering them a low or no-interest credit card, debt refinancing or a loan. These messages take advantage of the target’s financial desperation to deceive them into disclosing sensitive personal data.
- Fake Gifts and Giveaways - The target is informed that they have won a giveaway or a free gift. The message will ask them to click on a link and fill out their information to collect the prize. This data may be sold to other cyber criminals or used to steal the victim’s identity.
- Fake Offers and Surveys - Cyber criminals create fake surveys using the most common password recovery questions from common email providers and banking institutions. When someone completes the survey, cyber criminals can use their responses to gain unauthorized access to their email or bank accounts.
How to Recognize a Smishing Message
- Unfamiliar Phone Number - Unsolicited text messages from unknown or unfamiliar phone numbers are more likely to be smishing scams.
- Spelling/Grammatical Errors - Smishing messages often contain obvious spelling and grammar errors. These errors sometimes reveal the attacker’s poor English skills, but they may also be included intentionally to filter out recipients who are “too smart” to fall for the scam.
- Social Engineering Tactics - Smishing messages employ social engineering tactics like baiting, pretexting, and urgency to encourage the recipient into fast and reckless action.
- Suspicious Links - Smishing messages almost always include a suspicious link to an unfamiliar source. Mobile phone users should avoid clicking on suspicious links in text messages they receive from unfamiliar sources.
- Requests for Personal Information - Reputable companies will never ask you to send sensitive personal data by text message. If you receive an SMS message asking you to confirm your name, date of birth, or credit card number by text, it’s definitely a scam.
How to Protect against Smishing Attacks
- Learn to Recognize Smishing Attacks - Cybersecurity awareness is the first step in protecting against smishing and other types of cyber attacks. Watch out for text messages, especially from unfamiliar sources, that ask you to click on a suspicious link or reply with your sensitive personal data.
- Don’t Engage with Suspicious Messages - If you receive a suspicious message, don’t open it! If you have already opened it, don’t click the link or reply. Instead, delete the message, block the sender’s phone number, and report the spam message to your SMS provider. If you’re not sure whether a message is genuine or a smishing scam, contact the purported sender in person, by phone, or by email to verify its authenticity.
- Activate SMS Spam Protection - You can use SMS spam protection software to block incoming messages from known spammers.
- Disrupt and Dismantle Smishing Attack Infrastructure - Organizations can use external cyber security tools like ZeroFox to proactively disrupt and dismantle smishing attack infrastructure.
The AI-driven ZeroFox platform monitors your organization’s public attack surface at scale to identify smishing attacks against your business and initiate targeted takedowns of the attacker’s infrastructure (e.g. website hosting, mobile app hosting, email hosting, etc.), discouraging future attacks.
Secure Your Organization against Smishing Attacks with ZeroFox
ZeroFox provides digital risk protection, threat intelligence, and adversary disruption capabilities to identify and remediate targeted smishing attacks against enterprise organizations.
Check out our free report InfoSec Guide: Addressing the Rise in Phishing and Financial Fraud to learn more about the impacts of fraudulent message attacks and how ZeroFox can help.