Smishing is a type of social engineering scam that uses mobile texting rather than emails to deliver nefarious messages that dupe people into taking specific actions. The term is a combination of phishing and SMS, and its increasingly widespread use reflects a belief among cybercriminals that people are generally more likely to trust the contents of text messages over emails. Threat actors often text people directly using traditional SMS, but smishing also encompasses messages sent via apps like WhatsApp, Viber, or other messaging apps that require users’ phone numbers.
Industry reports and studies continue to highlight the growing prevalence of smishing attacks. One survey reported by Statista found that 74% of organizations and IT professionals experienced smishing attacks during 2021. This figure represented a 13% increase from the previous year.
Smishing does not require a high degree of complexity for success when compared to other forms of social engineering such as whaling. Here is a brief run-through of how attacks typically happen:
Cyber gangs try to compile lists of phone numbers using automated software by dialing many numbers in quick succession. Any number that answers or even rings out rather than going to a service provider message counts as a genuine number. These lists then get sold on dark web marketplaces to threat actors for use in smishing campaigns.
Another way that phone numbers proliferate is in today’s data-sharing economy. With many apps and online services requiring a phone number to sign up, this information can easily get into the wrong hands after a data breach. Once again, the dark web is the place where stolen phone numbers end up either freely available or for a fee.
Whether a target falls for a smishing text depends largely on how convincing the content of the text message is. While there is more implicit trust in messages sent to personal phone numbers versus emails, texts containing obvious red flags will get ignored. Social engineering techniques include creating a sense of urgency that bypasses potential skepticism, leveraging trust in authoritative organizations and figures, or compelling people to act for personal gain.
The vast majority of smishing messages contain malicious links. Often, professional URL shortening software helps to create links that look legitimate or that don’t raise any suspicions among targets. The victim opens the text, clicks the link, and then either discloses sensitive information or downloads malware. The hacker uses the disclosed information to commit fraud and profit or tries to take control of or monitor the victim’s device if malware is involved.
Adversaries constantly innovate and refine the bait they use in smishing messages to lure unsuspecting individuals into clicking malicious links or disclosing information. However, there are common trends among scams that are worth watching out for.
A widespread type of smishing scam piggybacks off the explosive growth of eCommerce. Exploiting the fact that many individuals at any given time are awaiting the delivery of a parcel, large-scale smishing campaigns notify hundreds or thousands of users at a time about the progress of their deliveries. These messages purportedly come from courier or postal companies, but they typically contain malicious URLs pointing to false websites where victims disclose sensitive information under the pretense of verifying their details.
Messages claiming to be from financial institutions like credit card companies or banks demonstrate the malevolence of threat actors who run smishing scams. Most people feel a sense of urgency when notified about pressing matters of a financial nature, whether that means being locked out of a bank account, or a bill not being paid. Typically, these messages request victims’ card details or login information for online banking platforms.
Fake prize wins hark back to the early days of phishing when fraudulent email messages commonly informed users about unexpected lump sums or prize wins for competitions they didn’t enter. While such scams remain widespread in both phishing and smishing, they remain unlikely to bear fruit except perhaps when targeting elderly people or anyone else with heightened vulnerability to these scams.
The onset of the COVID-19 pandemic coincided with a marked increase in smishing texts ostensibly from government services. Many such messages related to COVID attempted to leverage uncertainty and vulnerability among individuals during a time of widespread societal fear. Texts from government sources can try to persuade people into revealing sensitive details or even their bank account information. Other “sources” of such messages include tax departments or citizen services.
These scams are usually an attempt to get victims to disclose login credentials for important accounts. Spoofed sources could include banks, technology companies, utility companies, crypto exchanges, and more. The text message might ask the target to verify their password due to apparent suspicious activity on their account. A more sophisticated variation on this scam sees threat actors, who already have the victim’s username and password, trying to get them to disclose a one-time password sent to their phone as part of 2FA security protecting an account.
Some smishing messages target an organization’s employees with the aim of infiltrating a corporate network and stealing data or perhaps convincing the employee to wire funds to an account under their control. The social engineering tactics involved in these scams usually involve masquerading as a high-ranking official inside the organization, an IT helpdesk, a third-party supplier, or a service provider that controls access to an important business account.
Smishing impacts both individuals and organizations. Here are some tips to strengthen defenses from both a business and individual perspective:
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at ironscales.com/get-a-demo.