Recognizing and Avoiding Smishing Attacks
What is smishing?
Smishing is an attack vector that utilizes text messages (SMS) to deceive those targeted and convince them to provide information such as login credentials, financial account data, or sensitive personal details. The number of smishing attacks is on the rise, with some analysts attributing its growth in popularity to the increase in the number of those working remotely and relying more on their personal devices for communication. According to the FBI Internet Crime Complaint Center’s (IC3) Internet Crime Report for 2020, the combined total for reported losses attributed to the related social engineering attack vectors of smishing, vishing, phishing, and pharming exceeded $54 million for the year.
|Smishing||Cyberattack via SMS|
|Vishing||Cyberattack via Voicemail|
|Phishing||Cyberattack via Email|
|Pharming||Cyberattack via redirection of web traffic from a legitimate site to a fake one.|
To avoid falling victim to smishing and similar attacks, you first need to know how to recognize them.
What do smishing attacks look like?
Smishing texts frequently indicate that transfers of bank funds occurred or that some pending account activities require authorization to be processed. These messages may include fake authorization codes to be used to complete the transactions. Recipients are often instructed to click on links provided in the texts if they did not authorize the transfers or other activities. Clicking these links takes victims to malicious “pharming” sites where their personal information and account credentials will be required for whatever actions are necessary. In similar attacks, malicious texts also target cryptocurrency holders and may warn of suspicious account activities requiring their authorization.
Some texts may be crafted to appear as though they come from law enforcement, the DMV, or other governmental agencies. These could include links to pharming sites, or they may request information directly from their recipients. A message might indicate that the recipient is in some sort of trouble. Some even threaten arrest if no action is taken. Some provide phone numbers to call where those who fall for the scam will unknowingly be speaking directly with the scammers. This combines vishing (voice call) attacks with smishing and has become quite common.
In a significant percentage of smishing attacks, recipients receive texts indicating that there is some issue with package delivery even though they hadn’t ordered anything. These texts often include a link to download malware disguised as a delivery tracking app. For example:
A January 2021 DigitalShadows.com blog post described an incident where malware that captured banking credentials was installed when message recipients clicked a link in a text that appeared to be from DHL, a well-known delivery service. Clicking the link prompted the user to download what appeared to be a legitimate DHL parcel tracking app. The message included detailed, step-by-step instructions for recipients to change their device security settings, which in turn enabled the installation of malware apps. A surprising number of recipients followed those instructions and unwittingly downloaded the credential harvesting app which could not have been installed had they not first changed those security settings.
More recently, phishing messages that included links for downloading banking malware for credential harvesting were found to be targeting users of Android devices especially. Also, according to the DigitalShadows.com post, a credential harvesting smishing attack was discovered whereby targeted individuals were asked to click a link to perform an authentication operation within their Google account. The perpetrators then stole the victims’ Google login credentials and used those compromised credentials to obtain a wide range of sensitive accounts and personal data that could be used in other attacks.
How to Protect Yourself from Smishing Attacks
So how do you protect yourself (and your organization) from smishing attacks? Here are some tips to help you avoid becoming a victim of smishing and other similar social engineering attacks:
- First, be wary – be very wary – of any text message you receive that you are not expecting or that you have not requested. Typically, you won’t receive a text with a link to download a package tracking app unless you requested it to track something you actually ordered.
- Never – and we mean absolutely never, ever – change your device security settings because an app requests that you do so. If a text message includes instructions for disabling security controls on your device, as in the example provided previously, it’s an excellent indicator that you’re dealing with a criminal scammer. To alter a popular marketing slogan, just don’t do it – don’t click that link. Instead, block the sender and permanently delete the message (that’s good advice for all other variations of any of the attack types mentioned above).
- Remember – nothing is truly free. If you are offered something for nothing in a text message or email, your data, and perhaps access to your bank account or enough information to steal your identity, is the price you may end up paying for accepting the offer. Messages indicating you’ve won money and that all you need to do to collect is provide your bank account information or send a “small fee” to facilitate the transfer are always scams.
- Only download apps from Google Play or the Apple App Store. Although some apps later found to be questionable have occasionally gotten past the screeners and made it into their inventories, apps downloaded from these “official” providers are generally far safer.
- Representatives of governmental agencies (DMV, IRS, law enforcement, etc.) will never use text messages to initiate contact with you. Law enforcement personnel and IRS agents simply will not send texts threatening to arrest you or others. If you receive a message like that and you’re still concerned, go old-school and call local law enforcement or the agency the message sender claims to represent. Use a number you know to be correct, not one provided in the text message.
- If you are asked for information totally unrelated to the subject of a text message, don’t provide it. Legitimate delivery services are not going to send you a text asking for your bank account credentials, credit card information, personal information, or anything like that.
- Do not succumb to pressure tactics. Verify the information before you take an action that could end up being very costly. If, for example, a message indicates your bank account has been compromised, call your bank using a number you know to be correct (like one found on the back of your credit or debit card) and let them know what’s going on. Again, don’t call a number or click a link provided in the message. Cyber con artists frequently attempt to convey a sense of urgency to cause their victims to act in haste without verifying their claims.
- As with phishing attack emails, misspelled/misused words and grammatical errors can be good indicators that a text message is malicious. Just think about that – when was the last time you got a legitimate email from your bank or an online vendor like Amazon that had poor English? The criminals that orchestrate these scams are often based in foreign nations, and English probably isn’t their first language; thus, they tend to make frequent grammar mistakes. You can rest assured that any such mistakes are nearly 100% proof that the message is illegitimate.
- If you think you’ve accidentally installed malware on your device, back up your data (if you don’t already do so – most mobile devices prompt you to do that from the outset), perform a factory reset on your device, and change the login credentials for any accounts you’ve either stored on the device or logged into since you downloaded the suspected malware. If you need assistance, your device’s service provider can usually help.
Smishing is growing in popularity among cybercriminals. Smishing incorporates tactics similar to those used in phishing and vishing attacks. Following the recommendations above will help you avoid becoming a victim of these crimes. If you find that you have been scammed by a cybercriminal – or even just think you have, you can report the incident to the Federal Trade Commission at ReportFraud.FTC.gov. The FTC works with hundreds of law enforcement agencies to bring these bad actors to justice and offers resources to their victims to help them recover.
You can also reach out to our cyber experts at BIA, who specialize in services that address and remediate digital risks, including data breach discovery, social media investigations, and deep web/dark web investigation.