SMS Phishing
What is it, how do attackers use it and how you can avoid becoming a victim
June 5th, 2023Author: Ryan Morrissey
What is SMS Phishing?
SMS phishing (sometimes referred to as smishing) can be explained by breaking down the term into two separate words. SMS stands for “short message service”, which is the technical term for text messaging on phones. Phishing can be described as techniques used by cyberattackers to gain access to your sensitive data, whether it's private information about your life or even bank information.
If you put these two terms together, you get SMS phishing, which is when attackers try to get access to your data by using techniques in text messages. SMS phishing can be executed with similar techniques to email phishing but just through text messages instead. Most often, the messages try to trick the user into engaging with the phish.
Why is SMS Phishing Important to Discuss?
There are a multitude of reasons why SMS phishing is important to discuss. One of the biggest reasons is that it's a relatively new form of phishing, so people are less aware of it. It's important to spread awareness of these attacks to prevent anyone from falling for them. This also means that cybercriminals are coming up with new forms of attack through text messaging that have never been dealt with before. While text messaging may seem like a simple process to some, it can be tough for others. It is important to educate the demographic about who is most vulnerable to these attacks so they can be better prepared/protected. Discussion is imperative to extending the reach of awareness about SMS phishing and will better help everyone defend themselves while also preventing fraud.
What are Some Common Techniques Used by Attackers?
There are many techniques you may have already experienced or will experience if you use text messages. A lot of the attacks will be some sort of impersonation, which is the most popular form of phishing. Attackers will usually pick some sort of trusted business or organization that a lot of people use, such as a bank or internet provider, to impersonate, and unfortunately, thousands of targeted users actually send the attackers their bank/sensitive information.
Someone may see the text above and use Bank of America, thinking their account may actually be at risk of being closed. All of a sudden, they click on the link and enter their bank information, and from there, their information has been stolen.
Attackers will often mix impersonation with some sort of fear inducing message. If someone is not aware of the tactics, they might actually fall for the trick out of fear that the message is real. On top of fear, the message might sound urgent as well. “If you don't click on this link, your account will be locked forever” is an example of that.
A huge majority of people order things online. There are quite a few attacks relating to the image above in that attackers send out this fake text message knowing someone somewhere ordered a package and will think in order for the package to get delivered they have to click on a link. Once the link is clicked, anything could happen. Always imagine the worst.
You may be thinking, “I just won’t click on the links that look bad or are not normal”. Well, attackers can easily workaround this through more complex techniques such as spoofing or faking links and websites. It's not hard for attackers to fake an address through text messages. Similarly, they can copy a reliable website's code to make their own website that looks exactly like the reliable website. Some cybercriminals will go to great lengths to make people fall for their schemes if it means they can successfully gain personal, sensitive, or financial information. In the image below, an attacker is spoofing the PayPal link. If the target clicks on the link, they may be redirected to a fake PayPal website, which may ask them to input their PayPal credentials. If the user inputs their credentials, the attacker would then have access to the user's PayPal account.
The last common technique attackers use is offering the target a reward or win. Attackers may send a text saying the victim won something, whether it be money or some other form of reward. This is dangerous because everybody wishes they could just come across a big sack of gold without having to do anything, but most times you will find any form of this text will just end with you entering your credit card number into a website, whether it's an easily spottable scam site or a spoofed website like mentioned above.
Real Life Example of SMS Phishing
You may have already encountered an SMS phishing scam before, as attackers can send out thousands of messages with the click of a button. Below is a recent example of SMS phishing that has plagued smartphone users.
Covid-19 SMS scam
Do you remember how on edge everyone and everything was in the world during the peak of COVID? That common fear among the people of the world was exploited by cybercriminals during COVID-19 in multiple forms. Attackers would often send misleading texts that made people give up sensitive personal information. One very common text message was sent to almost everyone in the UK during COVID, claiming that “you were in close contact with someone who had COVID.” The text led to a website that had you buy a fake COVID-19 test that cost around a dollar. This was a small amount of money, so nobody would really think twice about just buying it, leading to their card information being stolen.
Spotting and Avoiding SMS Phishing
SMS phishing is a sneaky way for attackers to get your information. It's important to not only be aware but also use techniques of your own to combat SMS phishing. It's important to not take text messaging for granted and realize that if you are not careful, there can be unwanted repercussions.
One technique that you can use is to be skeptical at all times. Verify that the person to whom you are sending messages is the person they say they are. You can never be too sure when it comes to texting. Being skeptical is important because keeping your guard up and double checking will go a long way in protecting your data.
Anything that you might suspect of being illegitimate will probably be a scam. Trust your gut and educate yourself, and you will find yourself well protected.
One big thing every single person should realize and be aware of is that legitimate companies/services won't ask for information directly over text. To some, this may seem simple, but it's important that you never directly input your personal information via text. Where it can be more complicated is when attackers instead send links; legitimate companies usually do send links over text, so this is where more people than others will fall for fake links.
Again, links can be spoofed, so it's never good to trust a link in a text message because it's probably a scam. If you suspect you are on a spoofed/fake website, simply close the tab, and always make sure to never enter your password or any private information on a website you aren't familiar with. It's a good idea to verify what websites you are accessing, especially through text.
You can try to prevent SMS phishing in a couple of ways. There are trusted security applications on app stores that can try to filter out some texts and may do other common security things, such as serve as a virus/malware scanner. While these are good, they will not protect you from everything. It's up to you as the user to be aware of techniques used by attackers so you don't fall for them. Applying system and application updates will also help prevent attacks from taking place if you do slip and fall for a phish.
Some common apps (both Android and iOS) that help filter out SMS phishing that you can research are:
SMS Shield
RoboKiller
Hiya
VeroSMS
Both IOS and android offer their own filters through settings
I Got an SMS Phishing Text, What Do I Do?
SMS phishing is becoming more popular, and as using email becomes less frequent, if you have a smartphone, you will probably witness or encounter an SMS phishing scam. If you get an SMS text, don’t engage in any way with the actual text. If you can, the best thing to do is avoid clicking on any links in the text and also not responding to the text. Ignoring/deleting the text and moving on is really all you can do to protect yourself.
After you protect yourself from SMS phishing, you can also help protect others! There are a few ways to report scam texts, but the most common is to report them to the Federal Trade Commission (FTC). They are skilled at mitigating these attacks and preventing them from spreading too far. You can report any scam text you get in a couple simple ways:
Copy the message and forward it to 7726 (SPAM). This helps your wireless provider spot and block similar messages in the future.
Go to ReportFraud.ftc.gov
Report the message in your actual messaging app,
Android and iPhone offer ways, which usually entail just clicking on the message or holding down on the message, and there's usually an option somewhere to report it as a scam, so you will never get a message again and will flag that number in the future.
Through self education and caution, you can protect yourself and others against SMS phishing!
Conclusion
SMS phishing is an emerging form of phishing where cybercriminals deploy techniques to trick victims into entering personal information through text messaging. This form of phishing is relatively new and rising at a high rate, so it's important to raise awareness about SMS phishing, including what it is, how it can be prevented, and some methods to defend yourself from falling victim to one of these attacks.
By exercising general caution and common sense, you will find yourself well defended from SMS attacks. The best thing to do if you get a text message from an unverified source is to double check and verify everything you are being sent over text, or just simply not engage. You will not be getting a text message about your bank account being closed. If you feel uneasy about a text message, just delete it and don’t respond to it. If you feel really at risk, you can report it to the proper authorities so they can proceed with dealing with the phishing. Remember that scammers will often use scare tactics or some sense of urgency to trick you into feeling rushed, this is when we as humans are most vulnerable, so always check the texts you receive.
Works Cited:
Graham Cluley. “Covid Text Scam Warning from National Health Service (NHS).” Tripwire, www.tripwire.com/state-of-security/nhs-warns-scam-covid-19-text-messages. Accessed 26 May 2023.
Hebert, Amy, et al. “How to Recognize and Report Spam Text Messages.” Consumer Advice, 25 Oct. 2022, consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages#report.
Kaushik, Neha. “5 Best Spam Texts Blocker Apps for Android and IOS .” Geekflare, 2 Nov. 2022, geekflare.com/stop-spam-texts/.
“Scam Text Message Examples and How to Identify Them.” TextMagic, 9 Dec. 2022, www.textmagic.com/blog/spam-text-message-examples-and-how-to-identify-them/.
“Smishing (SMS Phishing).” Barracuda Networks, 21 Oct. 2022, www.barracuda.com/support/glossary/smishing#:~:text=Smishing%2C%20or%20SMS%20phishing%2C%20is,account%20information%20or%20installing%20malware.
Smishing-Text.Png. https://www.safetydetectives.com/wp-content/uploads/2021/03/Smishing-text.png. Accessed 26 May 2023.
SMS Phishing: 5 Ways to Avoid Smishing Attacks - Icorps, blog.icorps.com/5-ways-to-avoid-sms-phishing. Accessed 26 May 2023.
Srivatsan, Krupa. “Recent SMS Phishing Attacks and the Dangers of MFA Looka2like Domains: Infoblox.” Infoblox Blog, 1 Mar. 2023, blogs.infoblox.com/security/recent-sms-phishing-attacks-reveal-the-dangers-of-mfa-lookalike-domains/.
Text-Scam-1.Jpg. https://www.martininsurance.com/wp-content/uploads/2022/05/text-scam-1.jpg. Accessed 26 May 2023.