Reading Time: ~ 3 min.
Do you remember the last time you’ve interacted with a
brand, political cause, or fundraising campaign via text message? Have you
noticed these communications occurring more frequently as of late?
It’s no accident. Whereas marketers and communications professionals can’t count on email opens or users accepting push notifications from apps, they’re well aware that around 98% of SMS messages are read within seconds of being received
As with any development in how we communicate, the rise in brand-related text messaging has attracted scammers looking to profit. Hence we arrive at a funny new word in the cybersecurity lexicon, “smishing.” Mathematical minds might understand it better represented by the following equation:
SMS + Phishing = Smishing
For the rest of us, smishing is the act of using text
messages to trick individuals into divulging sensitive information, visiting a
risky site, or downloading a malicious app onto a smartphone. These often
benign seeming messages might ask you to confirm banking details, verify
account information, or subscribe to an email newsletter via a link delivered by
SMS.
As with phishing emails, the end goal is to trick a user
into an action that plays into the hands of cybercriminals. Shockingly,
smishing campaigns often closely follow
natural disasters as scammers try to prey on the charitable to divert funds
into their own pockets.
Smishing vs Vishing vs Phishing
If
you’re at all concerned with the latest techniques cybercriminals are using to
defraud their victims, your vocabulary may be running over with terms for the
newest tactics. Here’s a brief refresher to help keep them straight.
- Smishing,
as described above, uses text messages to extract the sought after information.
Different smishing techniques are discussed below. - Vishing is when a fraudulent actor calls a victim
pretending to be from a reputable organization and tries to extract personal
information, such as banking or credit card information. - Phishing
is any type of social engineering attack aimed at getting a victim to
voluntarily turn over valuable information by pretending to be a legitimate
source. Both smishing and vishing are variations of this tactic.
Examples of Smishing Techniques
Enterprising scammers have devised a number of methods for
smishing smartphone users. Here are a few popular techniques to be aware of:
- Sending a
link that triggers the downloading of a malicious app. Clicks can trigger
automatic downloads on smartphones the same way they can on desktop internet
browsers. In smishing campaigns, these
apps are often designed to track your keystrokes, steal your identity, cede
control of your phone to hackers, or encrypt the files on your phone and hold
them for ransom. - Linking
to information-capturing forms. In the same way many email phishing
campaigns aim to direct their victims to online forms where their information
can be stolen, this technique uses text messages to do the same. Once a user
has clicked on the link and been redirected, any information entered into the
form can be read and misused by scammers. - Targeting
users with personal information. In a variation of spear
phishing, committed smishers may research a user’s social media activity in
order to entice their target with highly personalized bait text messages. The
end goal is the same as any phishing attack, but it’s important to know that
these scammers do sometimes come armed with your personal information to give
their ruse a real feel. - Referrals
to tech support. Again, this technique is a variation on the
classic tech support scam, or it could be thought of as the “vish via smish.”
An SMS message will instruct the recipient to contact a customer support line
via a number that’s provided. Once on the line, the scammer will try to pry
information from the caller by pretending to be a legitimate customer service representative.
How to Prevent Smishing
For all the conveniences technology has bestowed upon us,
it’s also opened us up to more ways to be ripped off. But if a text message
from an unknown number promising to rid you of mortgage debt (but only if you
act fast) raises your suspicion, then you’re already on the right track to
avoiding falling for smishing.
Here are a few other best practices for frustrating these
attacks:
- Look for all the same signs you would if you were concerned an email was a phishing attempt: 1) Check for spelling errors and grammar mistakes, 2) Visit the sender’s website itself rather than providing information in the message, and 3) Verify the sender’s telephone address to make sure it matches that of the company it purports to belong to.
- Never provide financial or payment information on anything other than the trusted website itself.
- Don’t click on links from unknown senders or those you do not trust
- Be wary of “act fast,” “sign up now,” or other pushy and too-good-to-be-true offers.
- Always type web addresses in a browser rather than clicking on the link.
- Install a mobile-compatible antivirus on your smart devices.
The post Smishing Explained: What It Is and How You Can Prevent It appeared first on Webroot Blog.