Reading Time: ~ 3 min.

Do you remember the last time you’ve interacted with a
brand, political cause, or fundraising campaign via text message? Have you
noticed these communications occurring more frequently as of late?

It’s no accident. Whereas marketers and communications professionals can’t count on email opens or users accepting push notifications from apps, they’re well aware that around 98% of SMS messages are read within seconds of being received

Click here to see how 9 top endpoint security products perform against 15 efficiency benchmarks in the 2019 PassMark Report

As with any development in how we communicate, the rise in brand-related text messaging has attracted scammers looking to profit. Hence we arrive at a funny new word in the cybersecurity lexicon, “smishing.” Mathematical minds might understand it better represented by the following equation:

SMS + Phishing = Smishing

For the rest of us, smishing is the act of using text
messages to trick individuals into divulging sensitive information, visiting a
risky site, or downloading a malicious app onto a smartphone. These often
benign seeming messages might ask you to confirm banking details, verify
account information, or subscribe to an email newsletter via a link delivered by
SMS.

As with phishing emails, the end goal is to trick a user
into an action that plays into the hands of cybercriminals. Shockingly,
smishing campaigns often closely follow
natural disasters
as scammers try to prey on the charitable to divert funds
into their own pockets.

Smishing vs Vishing vs Phishing

If
you’re at all concerned with the latest techniques cybercriminals are using to
defraud their victims, your vocabulary may be running over with terms for the
newest tactics. Here’s a brief refresher to help keep them straight.

  • Smishing,
    as described above, uses text messages to extract the sought after information.
    Different smishing techniques are discussed below.
  • Vishing is when a fraudulent actor calls a victim
    pretending to be from a reputable organization and tries to extract personal
    information, such as banking or credit card information.
  • Phishing
    is any type of social engineering attack aimed at getting a victim to
    voluntarily turn over valuable information by pretending to be a legitimate
    source. Both smishing and vishing are variations of this tactic.

Examples of Smishing Techniques

Enterprising scammers have devised a number of methods for
smishing smartphone users. Here are a few popular techniques to be aware of:

  • Sending a
    link that triggers the downloading of a malicious app.
    Clicks can trigger
    automatic downloads on smartphones the same way they can on desktop internet
    browsers. In smishing campaigns, these
    apps are often designed to track your keystrokes
    , steal your identity, cede
    control of your phone to hackers, or encrypt the files on your phone and hold
    them for ransom.
  • Linking
    to information-capturing forms.
    In the same way many email phishing
    campaigns aim to direct their victims to online forms where their information
    can be stolen, this technique uses text messages to do the same. Once a user
    has clicked on the link and been redirected, any information entered into the
    form can be read and misused by scammers.
  • Targeting
    users with personal information.
    In a variation of spear
    phishing
    , committed smishers may research a user’s social media activity in
    order to entice their target with highly personalized bait text messages. The
    end goal is the same as any phishing attack, but it’s important to know that
    these scammers do sometimes come armed with your personal information to give
    their ruse a real feel.
  • Referrals
    to tech support.
    Again, this technique is a variation on the
    classic tech support scam
    , or it could be thought of as the “vish via smish.”
    An SMS message will instruct the recipient to contact a customer support line
    via a number that’s provided. Once on the line, the scammer will try to pry
    information from the caller by pretending to be a legitimate customer service representative. 

How to Prevent Smishing

For all the conveniences technology has bestowed upon us,
it’s also opened us up to more ways to be ripped off. But if a text message
from an unknown number promising to rid you of mortgage debt (but only if you
act fast) raises your suspicion, then you’re already on the right track to
avoiding falling for smishing.

Here are a few other best practices for frustrating these
attacks:

  • Look for all the same signs you would if you were concerned an email was a phishing attempt: 1) Check for spelling errors and grammar mistakes, 2) Visit the sender’s website itself rather than providing information in the message, and 3) Verify the sender’s telephone address to make sure it matches that of the company it purports to belong to.
  • Never provide financial or payment information on anything other than the trusted website itself.
  • Don’t click on links from unknown senders or those you do not trust
  • Be wary of “act fast,” “sign up now,” or other pushy and too-good-to-be-true offers.
  • Always type web addresses in a browser rather than clicking on the link.
  • Install a mobile-compatible antivirus on your smart devices.

The post Smishing Explained: What It Is and How You Can Prevent It appeared first on Webroot Blog.