By Ian Thomas on June 30, 2022

Smishing Attacks Explained

What Is Smishing?

Smishing is a type of social engineering scam that uses mobile texting rather than emails to deliver nefarious messages that dupe people into taking specific actions. The term is a combination of phishing and SMS, and its increasingly widespread use reflects a belief among cybercriminals that people are generally more likely to trust the contents of text messages over emails. Threat actors often text people directly using traditional SMS, but smishing also encompasses messages sent via apps like WhatsApp, Viber, or other messaging apps that require users’ phone numbers.

Industry reports and studies continue to highlight the growing prevalence of smishing attacks. One survey reported by Statista found that 74% of organizations and IT professionals experienced smishing attacks during 2021. This figure represented a 13% increase from the previous year.

How Do Smishing Attacks Work?

Smishing does not require a high degree of complexity for success when compared to other forms of social engineering such as whaling. Here is a brief run-through of how attacks typically happen:

A threat actor gets their hands on a list of genuine phone numbers

Cyber gangs try to compile lists of phone numbers using automated software by dialing many numbers in quick succession. Any number that answers or even rings out rather than going to a service provider message counts as a genuine number. These lists then get sold on dark web marketplaces to threat actors for use in smishing campaigns.

Another way that phone numbers proliferate is in today’s data-sharing economy. With many apps and online services requiring a phone number to sign up, this information can easily get into the wrong hands after a data breach. Once again, the dark web is the place where stolen phone numbers end up either freely available or for a fee.

Social engineering tactics help to craft convincing text messages

Whether a target falls for a smishing text depends largely on how convincing the content of the text message is. While there is more implicit trust in messages sent to personal phone numbers versus emails, texts containing obvious red flags will get ignored. Social engineering techniques include creating a sense of urgency that bypasses potential skepticism, leveraging trust in authoritative organizations and figures, or compelling people to act for personal gain.

Malicious links lead to desired actions

The vast majority of smishing messages contain malicious links. Often, professional URL shortening software helps to create links that look legitimate or that don’t raise any suspicions among targets. The victim opens the text, clicks the link, and then either disclose sensitive information or downloads malware. The hacker uses the disclosed information to commit fraud and profit or tries to take control of or monitor the victim’s device if malware is involved.

Types of Smishing Scams

Adversaries constantly innovate and refine the bait they use in smishing messages to lure unsuspecting individuals into clicking malicious links or disclosing information. However, there are common trends among scams that are worth watching out for.

False delivery notifications

A widespread type of smishing scam piggybacks off the explosive growth of eCommerce. Exploiting the fact that many individuals at any given time are awaiting the delivery of a parcel, large-scale smishing campaigns notify hundreds or thousands of users at a time about the progress of their deliveries. These messages purportedly come from courier or postal companies, but they typically contain malicious URLs pointing to false websites where victims disclose sensitive information under the pretense of verifying their details.

Messages from financial institutions

Messages claiming to be from financial institutions like credit card companies or banks demonstrate the malevolence of threat actors who run smishing scams. Most people feel a sense of urgency when notified about pressing matters of a financial nature, whether that means being locked out of a bank account, or a bill not being paid. Typically, these messages request victims’ card details or login information for online banking platforms.

Fake prize wins

Fake prize wins hark back to the early days of phishing when fraudulent email messages commonly informed users about unexpected lump sums or prize wins for competitions they didn’t enter. While such scams remain widespread in both phishing and smishing, they remain unlikely to bear fruit except perhaps when targeting elderly people or anyone else with heightened vulnerability to these scams.

Government messages

The onset of the COVID-19 pandemic coincided with a marked increase in smishing texts ostensibly from government services. Many such messages related to COVID attempted to leverage uncertainty and vulnerability among individuals during a time of widespread societal fear. Texts from government sources can try to persuade people into revealing sensitive details or even their bank account information. Other “sources” of such messages include tax departments or citizen services.

Account compromise scams

These scams are usually an attempt to get victims to disclose login credentials for important accounts. Spoofed sources could include banks, technology companies, utility companies, crypto exchanges, and more. The text message might ask the target to verify their password due to apparent suspicious activity on their account. A more sophisticated variation on this scam sees threat actors, who already have the victim’s username and password, trying to get them to disclose a one-time password sent to their phone as part of 2FA security protecting an account.

Employee focused

Some smishing messages target an organization’s employees with the aim of infiltrating a corporate network and stealing data or perhaps convincing the employee to wire funds to an account under their control. The social engineering tactics involved in these scams usually involve masquerading as a high-ranking official inside the organization, an IT helpdesk, a third-party supplier, or a service provider that controls access to an important business account.

Defending Against Smishing

Smishing impacts both individuals and organizations. Here are some tips to strengthen defenses from both a business and individual perspective:

Business defenses

  • Gauge smishing awareness among employees using surveys and incorporate smishing material in future training materials to compensate for any knowledge gaps and reduce the susceptibility to these fraudulent text messages.
  • Use the principle of least privilege access to ensure that even if an employee’s account gets compromised, your attack surface is minimized by restricting access levels to only what’s necessary for job functions and duties.
  • Use phishing simulation and training exercises to give employees practical opportunities at improving their ability to detect social engineering techniques common across various types of attacks.
  • If you have a BYOD policy that allows employees to connect their smartphones to your corporate network and apps, update the policy to include specific tips and guidance for employees in ensuring they don’t fall victim to text-based scams.

Individual defenses

  • A useful rule of thumb is to avoid clicking any links embedded in text messages.
  • Enable any two-factor or multi-factor authentication options available for your most important accounts, including banking, email, money exchanges, and eCommerce platforms.
  • Call your bank, retailer, or relevant government service directly to verify the authenticity of any text messages about suspicious activity, account lockouts, transactions, and appointments.
  • Avoid storing sensitive information on your phone, such as your credit card number or passwords for accounts because malware can enable device takeover, giving hackers free rein to easily find and use this information.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at ironscales.com/get-a-demo.

Published by Ian Thomas June 30, 2022
Shapes-Left

Join thousands of your peers! Subscribe to our blog.

Ironscales needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.

Shapes-Right