Resources

Smishing (SMS Phishing) Protection: Secure Your SMS

You’ve probably heard about it, you’ve probably received some of it. Smishing is basically phishing via SMS and is a very popular vector for scams. In this page, we’ll deep dive into all you need to know about smishing.

Arsen Team
7 minutes read
What is vishing?

What is smishing?

Smishing stands for SMS Phishing. It’s basically phishing delivered through instant messaging services such as text messaging.

Smishing isn’t limited to standard text messaging and can be used over instant messaging applications like WhatsApp, Telegram or Signal.

It’s a distribution vector for social engineering attacks and usually target individuals to obtain information or steal money through scams.

Like all social engineering attacks, it will impersonate a brand or person and use different manipulation techniques to increase the likelihood of success of the attack.

Because the level of protection of personal phones is often lower than email protections, smishing has usually a better chance to reach their target.

Smishing is a very common form of attack and knowing more about it can help you prevent disastrous consequences.

Smishing history

Early 2000s: the surge of mobile phone usage

As mobile phone usage surged in the early 2000s, scammers adapted their techniques to exploit the new medium.

Early smishing attempts were relatively unsophisticated, often consisting of simple text messages urging recipients to visit malicious websites or call fraudulent phone numbers.

2010: the smartphone era

The rise of smartphones leads to more sophisticated smishing attacks, spreading malware, utilizing embedded links and exploiting vulnerabilities in mobile operating systems.

2016: defeating 2FA protections

With the rise of multifactor authentication, Smishing attacks are used in combination with phishing or vishing attacks to extract one-time passwords from their victims and gain access to protected accounts.

2018: spear smishing

Just like phishing, personalized, targeted smishing gets more popular in 2018. Often incorporating leaked data or information obtained from Open Source Intelligence (OSINT) to increase the effectiveness of the attacks.

2020: Covid era and USPS scam

During the Covid-19 pandemic, there was a rise of phishing and smishing attacks. The increased use of digital communication for remote work and social interaction facilitated new attacks.

One very popular attack started to emerge, pretexting a delivery pending payment through SMS, impersonating the USPS.

How smishing works

Smishing, or SMS phishing, operates through a series of well-crafted steps designed to deceive individuals into revealing sensitive information or downloading malicious software. Understanding how smishing works can help users recognize and avoid these attacks. Here's a detailed breakdown of the process.

Step 1: Attack Planning and Target Selection

Cybercriminals gather information about potential targets. This can involve purchasing contact lists from the dark web, scraping social media profiles, or utilizing data from previous breaches. The more personalized the information, the more convincing the attack will be.

Targets can range from individuals to large organizations.

In a corporate context ,high-value targets, such as executives or employees with access to sensitive information, are often prioritized.

When it comes to individuals, large scale attacks are common, sometimes timed to match specific events like Black Friday or specific sales operations increasing parcel deliveries from ecommerce sites, increasing the chance of success of parcel delivery smishing scams.

Step 2: Crafting the Message

Like all social engineering attacks, messages often create a sense of urgency or fear to prompt immediate action. Examples include alerts about suspicious account activity, urgent requests for payment, or notifications about package deliveries.

Using personal information, such as the target's name or specific details about their activities, increases the credibility of the message. Personalized messages are more likely to elicit a response.

Finally, depending on the selected pretext, attackers often spoof phone numbers or create messages that appear to come from trusted sources, such as banks, government agencies, or well-known companies. This makes the message seem more legitimate.

Step 3: Delivery of the Message

Messages are sent via SMS (Short Message Service) or MMS (Multimedia Messaging Service). While SMS is text-based, MMS can include images, videos, or other multimedia content to make the message more convincing.

The message typically includes a link to a malicious website. The link may be shortened using URL shorteners to obscure the true destination or made to look similar to legitimate URLs.

Link shorteners and redirectors are also useful to protect links from inspection from security systems and filters.

Some messages may include phone numbers for the target to call or attachments to download. These phone numbers often lead to scam call centers, while attachments can contain malware.

Step 4: Engaging the Victim

Depending on the type of attack and infrastructure deployed by the attacker, several things can happen at this point.

If the target clicks on a link, they are redirected to a phishing website designed to mimic a legitimate site. The site will prompt the user to enter personal information, such as login credentials, credit card numbers, or social security numbers.

Information entered on the phishing site is captured by the attackers and used for identity theft, financial fraud, or further attacks.

Some links or attachments may lead to the download of malware, such as keyloggers, ransomware, or spyware, which can compromise the target's device and data or be used as a first step for a more complex attack.

If the target calls a provided phone number, they may speak with a scammer who uses social engineering tactics to extract sensitive information, often pretending to be a representative of a legitimate organization.

Step 5: Exploitation

Stolen information is used to commit various forms of fraud, such as unauthorized transactions, identity theft, or account takeovers. Cybercriminals may also sell the information on the dark web to be used by another attacker.

In organizational settings, attackers may use stolen credentials to gain access to internal networks, leading to data breaches, ransomware attacks, or further phishing campaigns.

Recognizing smishing

Red flags and warning signs

Like many social engineering attempts, there are a few common red flags that should spike your curiosity and make you be very careful on how you interact with the message you received.

These red flags include:

  • Unexpected messages: unsolicited messages should be treated carefully
  • Spelling and grammar: although it is NOT a surefire way to detect an attack, low quality smishing attacks still exist and bad spelling or grammar shoud still be considered as a warning sign
  • Generic greetings: just like spelling error, this is a warning sign for low quality attacks
  • Urgency and pressure mechanism: to create an emotional reaction, common smishing attacks will rely on urgency, fear and authority to make you react

Examples of Smishing Messages

Here are a few common messages used in phishing attacks:

  • Bank alert: "Your account has been temporarily suspended due to suspicious activity. Please visit [fake bank URL] to verify your information and restore access."
  • Package Delivery Scams: "Your package is on hold due to incorrect delivery details. Update your information here: [malicious link]."
  • Tax refund scams: "You have a pending tax refund. Click here to claim: [fake tax agency URL]."

Risks and consequences of smishing

Much like phishing, we need to consider risks and consequences in two different settings: the personal impact and the business impact.

Personal Impact

On a personal level, if you are victim of a smishing attack, you might experience the following consequences:

  • Financial loss: you may suffer direct financial losses if you provide banking or credit card information in response to a smishing message. Unauthorized transactions, fraudulent charges, and drained bank accounts are common outcomes.
  • Identity theft: personal information, such as Social Security numbers, addresses, and dates of birth, can be harvested through smishing. This information can be used to open new accounts, apply for loans, or commit other forms of identity theft.
  • Emotional distress: the psychological impact of these attacks is high. Victims of smishing often experience significant emotional distress, including anxiety, fear, and a sense of violation. The process of recovering from identity theft or financial fraud can be long and stressful.
  • Privacy invasion: The loss of personal information can lead to a severe invasion of privacy. Victims might find their personal details exposed on the dark web or used in further scams and attacks.

Business Impact

Businesses can be impacted on a different scale by smishing attacks:

  • Data breaches: smishing attacks targeting employees can lead to data breaches. Compromised credentials can provide attackers with access to sensitive company information, intellectual property, and customer data.
  • Financial penalties: businesses may face significant financial penalties due to regulatory non-compliance if a data breach occurs as a result of a smishing attack. Laws such as GDPR and CCPA impose strict fines for data breaches involving personal information.
  • Operational disruption: smishing attacks can lead to operational disruptions. Malware or ransomware introduced through smishing can cripple business operations, leading to downtime and loss of productivity.
  • Reputational damage: a successful smishing attack that leads to a data breach can severely damage a company's reputation. Customers and partners may lose trust, resulting in lost business opportunities and long-term reputational harm.

Prevention and protection against smishing

Preventing smishing attacks should be done in three main layers of a defense in depth strategy.

Education and Awareness

The first layer of defense is training people, through awareness content and simulation campaigns to understand the risk and create more secure behaviors, such as reporting such attacks to the competent authorities and internal services.

Smishing attacks target people and their reactions, training it is the most cost-effective defense layer you can apply.

Best practices and procedures

Specifically in an organizational setting, procedures should prevent attacks by adding control points and friction to disrupt the attack pattern.

For instance, sensitive information shouldn’t be delivered without a specific verification process. Payment shouldn’t be done from a mobile device, etc.

Some of these procedures can be enforced with security tools, other should rely on proper employee training.

Security tools

Security tools that can limit the risk of smishing are numerous:

  • Mobile Security Apps: allowing for real time threat protection, SMS and call blocking
  • Mobile Device Management (MDM): to easily control, monitor and manage security settings and applications on mobile devices
  • Multi-factor Authentication: will increase your security in case of credential harvesting or infostealer attacks, making it harder to exploit credentials
  • Leak monitoring: monitoring the presence of phone numbers on the dark web can help prevent attacks by reinforcing security or changing numbers all together.

Response to a smishing attack

Responding effectively to a smishing attack is crucial to minimizing damage and preventing further exploitation.

Immediate Actions

The first things to do are the following:

  • Do not respond or interact with the suspicious text message
  • Alert relevant parties: depending on the context, it can be the impersonated person or service like your bank, or a dedicated security team in your organization

If you’ve interacted with the text message and think you might be compromised, disconnect your phone from the network. This can be done by switching it to airplane mode to prevent malware communication with the network.

Secure your Accounts

If you think you’ve been compromised, you can try to reinforce your accounts’ security. These are also very good prevention steps:

  • Change your passwords using a password management tool
  • Enable MFA to reinforce authentication security
  • Monitor accounts and last logins when possible, to see if any suspicious activity has already occurred

Scan and Clean Devices

If you suspect you already have installed a malware deployed through a smishing attack, you should also scan and clean your mobile device:

  • Run a security software: an updated anti-malware software can scan and detect potential malwares on your phone
  • Update your software: security patches will help prevent exploitation of some security flaws that help malware spread and gain higher access to your mobile

The future of smishing

Much of the smishing attacks evolution can be already seen in current phishing attacks.

We expect an increase in conversational attacks, making it harder to detect signs of an attack.

Conversational attacks engage in a discussion with the victim, creating rapport and reducing the amount of suspicious elements such as malicious links in the content of the SMS.

Multi-lingual, conversational attacks can now be done at scale with the rise of LLMs and the progress they bring to the generative AI sphere.

It will also be used in combination with vishing and phishing attacks to improve victims engagement, create additional trust factors and increase the complexity of attack patterns, making it harder to detect.

Book a demo

Learn what makes Arsen the go-to platform to help CISOs, cyber experts, and IT teams protect their organizations against social engineering.

Request a demo

Frenquently Asked Questions

Phishing is a broader term that encompasses various methods of deceptive communication to steal sensitive information, including email (phishing), phone calls (vishing), and text messages (smishing). Smishing specifically refers to phishing attacks conducted via SMS or text messages.

  • Unsolicited messages from unknown numbers.
  • Messages that create a sense of urgency or fear, prompting immediate action.
  • Requests for personal information, financial details, or login credentials.
  • Poor grammar and spelling errors.
  • Suspicious or shortened URLs.
  • Messages claiming to be from reputable organizations but using generic greetings like "Dear Customer."

If you receive a suspicious text message:

  • Do not respond to the message or click on any links.
  • Do not download any attachments.
  • Verify the message by contacting the purported sender using official contact information (e.g., phone numbers from the organization's official website).
  • Report the message to your mobile carrier and the organization being impersonated.
  • Delete the message from your device.

Yes, clicking on malicious links or downloading attachments from a smishing message can lead to malware being installed on your device. This malware can steal personal information, track your activities, or give attackers control over your device.

To protect yourself from smishing:

  • Be cautious of unsolicited messages, especially those requesting personal information or urgent action.
  • Verify the authenticity of messages by contacting the sender directly through official channels.
  • Avoid clicking on links or downloading attachments from unknown sources.
  • Enable security features on your phone, such as antivirus software and spam filters.
  • Use two-factor authentication (2FA) for your accounts.

If you fall victim to a smishing attack:

  • Immediately change the passwords for any affected accounts.
  • Enable two-factor authentication (2FA) on your accounts.
  • Monitor your financial accounts for any unauthorized transactions.
  • Report the incident to your bank, mobile carrier, and any affected organizations.
  • Consider running a security scan on your device to check for malware.

Yes, several tools and apps can help prevent smishing:

  • Mobile security apps that offer real-time threat detection, call blocking, and SMS filtering.
  • Antivirus and anti-malware software for mobile devices.
  • Spam filters provided by mobile carriers or messaging apps.
  • Password managers to create and store strong, unique passwords.

Attackers can obtain phone numbers through various methods, including:

  • Purchasing lists of phone numbers from the dark web.
  • Harvesting numbers from social media profiles and online directories.
  • Exploiting data breaches that expose personal information.
  • Using automated tools to generate phone numbers.

Ignoring smishing messages is generally the best course of action. However, if you frequently receive such messages, it may indicate that your phone number is on a list targeted by attackers. It's important to remain vigilant and report persistent smishing attempts to your mobile carrier and relevant authorities.