Did you know that SMS messages have an average open rate of over 95%? The definition of smishing is a digital attack through SMS that can have serious consequences. SMS marketing has become a strategy that many companies use. Unfortunately, hackers also exploit this system through SMS attacks.
The development of anti-spam filters for smartphones is still low compared to the protections available for email boxes. Therefore, it is much easier to read unwanted SMS messages than emails. The ubiquity of SMS in our lives is an opportunity for hackers and highlights the importance of gathering information to better protect ourselves.
Proofpoint conducted a survey of 600 IT professionals from 7 different countries. 84% of them admitted to being victims of a smishing attempt.
Smishing (SMS + phishing) is a cyber attack consisting of sending a malicious SMS message.
For example, you may receive a fraudulent SMS message informing you that a package is blocked at customs. If you want to unlock it, you need to provide your credit card number and pay additional fees.
Smishing attacks against companies are rarer but do exist, as you will see in this article.
How does it work?
The attack starts with receiving a fraudulent SMS message asking you to click on a link. Usually, the attacker emphasizes the urgency of the problem to encourage you to respond quickly.
It is also possible for the malicious individual to impersonate your superior for the same purpose. The hacker establishes a relationship of trust with the victim so that they execute the orders of their "supervisor" without following the security protocols.
The link in the message can redirect you to a website, install a malicious application, or call a fraudulent number. The consequences of these attacks are similar to those of a classic hacking: the individual can bypass multi-factor authentication, download sensitive data, take control of your phone, and infect your network.
The scam can occur through multiple channels: you can receive not only a fraudulent SMS message but also a malicious email or phone call. This method is also used when contacting an individual in marketing campaigns. The objective is not the same, of course: in campaigns, we want to reach a person, while in a scam, we want to make the attack appear credible in order to lower the victim's vigilance.
Why does smishing work?
The definition of smishing being "phishing by instant message," the overall operating principle is the same: manipulate the target into taking an action compromising their security.
In order to increase the likelihood of a successful attack, the victim may receive a sequence of step-by-step messages based on their responses, instead of a single message. This creates a certain level of trust in the relationship between the victim and the fraudster. Establishing this type of relationship through a classic phishing attack is much more complex, as one must convince the victim with only one message.
SMS messages have weak digital protection. The development of antivirus software or anti-spam filters on smartphones is still limited compared to the protections available on computers.
The open rate of SMS messages is a factor to consider in the functioning of smishing. Let's compare it with the open rate of emails:
- SMS open rate: 95% (SMSMode, 2020)
- Email open rate: 17.8% (CampaignMonitor, 2020)
- 45% of SMS messages receive a response (Gartner, 2016)
- 6% of emails receive a response (Gartner, 2016)
- 10% of marketing SMS messages are identified as spam (DSIM, 2016)
- 50% of marketing emails are identified as spam (DSIM, 2016)
SMS messages have an open rate almost 5 times higher than emails. Moreover, SMS marketing messages are less easily identified as spam than emails, which facilitates the contact between the victim and the scammer.
A phone interface offers fewer possibilities than a computer interface for identifying malicious attacks. It is impossible to hover over a link on your phone and determine the sender or destination of the link you are about to click on.
Examples of attacks
Many smishing attacks target individuals. Mass attacks can be carried out by claiming, for example, that a package is available for pick-up or by notifying you of a change in your bank account.
When it comes to attacks targeting companies, they are much more complex. For example, you may receive an SMS verification code to establish trust in the exchange. Hackers carry out these personalized attacks after obtaining multiple pieces of information to lower the victim's vigilance.
How to identify smishing?
By definition, smishing will try to closely resemble a normal SMS message.
It is necessary to consider with caution any SMS that encourages potentially dangerous actions such as installing an application, transmitting sensitive information, or clicking on a link.
Be extra vigilant and make sure to identify the sender and the legitimacy of the request.
Pay attention to the sender; it is possible for an SMS to appear in an existing thread of regular messages from a company. The name of a bank may not be secure, so a hacker can take advantage of this vulnerability to send you a fraudulent SMS message in the usual discussion thread with your bank. This SMS will generally ask you to call a different number or click on a link. The objective is to transfer money to a foreign account later on.
If it is a widespread attack, a simple internet search of the received text will allow you to identify the message as a smishing attempt.
If you suspect that someone is impersonating one of your peers, use a different contact channel to verify their identity. Try to avoid the email inbox, which can also be hacked.
Smishing is most often unsolicited. If you receive a message from a service (password update, etc.) that you have not used recently, there is a strong chance that it is a smishing attempt.
How to protect yourself?
Certain practices can protect you from these cyber attacks. We offer you 10 tips to best defend yourself against smishing:
- Do not provide login credentials via SMS or through a link received via SMS.
- Do not click on links in unsolicited SMS messages.
- Do not install any application after receiving an SMS message.
- Double-check through a different contact channel when a contact has an urgent request via SMS.
- Be vigilant on all instant messaging platforms (SMS, Linkedin, Messenger).
- Report suspicious SMS messages to the security service.
- Do not make a call in response to an unknown SMS message.
- Regularly check that phone numbers capable of receiving SMS messages from colleagues are not publicly available.
- Train users on the dangers of smishing.
- Simulate smishing attacks to assess and improve employee behavior.