Smishing is a phishing cybersecurity attack carried out over mobile text messaging, also known as SMS phishing.
As a variant of phishing, victims are deceived into giving sensitive information to a disguised attacker. SMS phishing can be assisted by malware or fraud websites. It occurs on many mobile text messaging platforms, including non-SMS channels like data-based mobile messaging apps.
Smishing —–SMS text phishing. That’s because the term smishing is a portmanteau of “SMS text messages” and “phishing.” So, this means that smishing is a type of phishing that takes place via short message service (SMS) messages — otherwise known as the text messages that you receive on your phone through your cellular carrier. (SMS is a two-way paging system that carriers use to transmit messages.) The goal of smishing here is to scam or otherwise manipulate consumers or an organization’s employees.
These types of messages generally involve some type of content that will prompt you to click on a link. If you do press the link, it’ll take you to a website that tries to get you to provide your login details or other information. The goal here is to get you to provide information that the cybercriminal can use to:
Access your personal or work-related accounts,
Commit identity fraud, or
Engage in some other type of malicious activities.
Common Types of SMS Phishing Scams
Wondering what some of the most common smishing text scams are? Don’t worry, we’ll show you many real examples of smishing text messages shortly. But just to give you a quick idea, here are a few of the common types of SMS phishing scams cybercriminals use nowadays:
- Texts from banks, investment firms and other financial institutions stating there’s an issue with your account.
- Messages promising free money, products or services.
- Text messages from companies & service providers stating that there’s an issue and you need to update your payment account information.
- Messages from various “authorities about COVID-19 contact tracing updates and various pandemic-related resources.
How does Smishing work?
Deception and fraud are the core components of any SMS phishing attack. As the attacker assumes an identity that you might trust, you are more likely to succumb to their requests.
Social engineering principles allow smishing attackers to manipulate a victim’s decision-making. The driving factors of this deception are three-fold:
Trust: By posing as legitimate individuals and organizations, cybercriminals lower their target’s skepticism. SMS texts, as a more personal communication channel, also naturally lower a person’s defenses against threats.
Context: Using a situation that could be relevant to targets allows an attacker to build an effective disguise. The message feels personalized, which helps it override any suspicion that it might be spam.
Emotion: By heightening a target’s emotions, attackers can override their target’s critical thinking and spur them into rapid action.
How to prevent smishing
There’s one more stat from Proofpoint’s report that we want to discuss, and it gets to the heart of how enterprises can help foil smishing attacks: only 25% of surveyed organizations (and only 17% in the United States) run smishing or vishing simulations to help train staff to recognize and react appropriately to these attacks. At the organizations that do run these simulations, the failure rate is 6% — not disastrous, but not great, either.
These types of simulations are one of the best ways for enterprises to train their employees on how to avoid being smished. They should form part of your ongoing security awareness training regimen, along with phishing and vishing simulations. Simulated smishing attacks can help you target your training efforts, making it clear whether additional training is needed and which users are particularly vulnerable.
But if your employer doesn’t run simulations or hold training programs, you can still educate yourself to resist smishing attacks. Zipwhip has some common-sense advice:
- Be wary of texts using unnatural or ungrammatical language.
- The IRS and Social Security Administration don’t communicate via text.
- Don’t click embedded links or download apps directly from a text message.
- Offers that seem too good to be true usually are.