How You Can Identify & Prevent “Smishing,” or SMS Text Scams
Picture this: an email appears in your inbox at work. It’s from your boss; apparently, a vendor — one you know the company uses — is saying you must pay for a shipment now, or a crucial order will be canceled. Your “boss” instructs you to forward him the details for one of your company’s accounts to make the payment.
You don’t panic, though, because you’ve already learned to recognize the red flags of phishing.
This is a common trick that fraudsters use to get you to download malicious software, send money, or disclose sensitive information. Luckily, you’re smart enough to know not to take the bait.
However, what if you received the message as a text sent to your phone, rather than an email? Would you respond the same way?
So-called “smishing” attacks can be just as dangerous as email phishing. From the fraudster’s perspective, though, it can be a much more effective technique, as most targets don’t know how to respond.
Recommended reading
- Address Fraud: How Criminals Swap Addresses to Abuse Victims
- The Top 5 Prepaid Card Scams to Watch Out For in 2024
- How do Banks Conduct Credit Card Fraud Investigations?
- Key Credit Card Fraud Statistics to Know for 2024
- Scammers See Opportunity as March Madness Begins
- Man-in-the-Middle Attacks: 10 Tips to Prevent These Scams
What is Smishing?
- Smishing
Smishing is the fraudulent practice of using fake text messages in an attempt to steal confidential information, such as passwords or credit card numbers.
[noun]/s • miSH • əng/Smishing is a portmanteau of “SMS” and “phishing.” As the name implies, it’s a kind of phishing attack, but instead of targeting victims through emails or websites, smishing relies on mobile (SMS) text messaging. It’s just one more way for fraudsters to turn technology against both consumers and businesses.
Some smishing messages are obviously scams. For example, imagine that a person you’ve never met, and who has no connection to you, sends you a text asking for a “favor.” The favor involves restricted personal or company information such as credit card numbers. It’s an obvious scam, and few people would fall for that.
Other fraudsters are sneakier. The sender is realistic; for instance, they’re posing as a coworker, a manager from another department, or a friend of a friend. The request feels legitimate, as well; the sender’s message is in the voice of the person they’re impersonating. If it’s worded carefully, the message may convince you that it’s authentic.
Vishing is another, similar scam to watch for. It has the same end goal as smishing (to trick the victim into giving over sensitive data). However, vishing uses phone calls and voice messaging instead of SMS texts.
In most cases, smishers are after confidential information. For example:
- Credit card or online account credentials
- Banking or other financial info
- Work login passwords and usernames
- Internal business directories
- Social Security numbers
- ZIP codes
- Customer or vendor lists
Yes; even something like a vendor list would allow them to target specific individuals in the company, like the CEO or CFO.
How Do Smishing Attacks Work?
Smishing attempts can come from standard messaging apps, non-SMS messaging like WhatsApp, or even through social media messaging. Attacks targeting businesses can, in some cases, use a company directory to make the messages seem more legitimate.
There are myriad scams that smishers can use to manipulate victims into taking a desired action. The most popular tricks we’re seeing currently include:
- Free Covid testing (or stimulus money)
- Overdrawn accounts or past-due payment warnings
- Getting paid for answering surveys
- Receiving gifts or rewards
- Compromised account warnings
- Order or delivery confirmations
- Phony apps update
- Notice of attempted delivery
- Friend, family, or colleague's emergency
As for the action in question, smishers tend to follow one of three strategies when they attack:
This may be a link to a site or malware, as we saw above. It could also be a request for account information to “confirm” a transaction. When businesses are targeted, it may seem like a simple request that reveals company data.
While they’re certainly a threat to individuals, the majority of smishing attacks currently seem to be targeted at businesses. That makes complete sense: corporate credit cards or bank accounts are typically going to be more profitable than a single person’s.
How Smishing Impacts Businesses
Smishing can be a real nightmare for businesses.
Instead of targeting random individuals, hackers target employees of a specific business, then try to trick those employees into giving away sensitive information. The scams are simple: a cybercriminal may pose as a company executive asking for an account number, or telling an employee to pay an invoice from their own account. If this sort of attack is successful, it can have a major, long-lasting impact on the business’ reputation and financial future. You could see:
- Business disruption
- Loss of customer confidence (especially in cases of data breach)
- Loss of company value/investors
- Reputational damage with vendors, banks, etc
- Potential fines and fees (in cases that involve theft of customer data)
- Loss of intellectual property, research findings, trade secrets, or proprietary designs.
How Big of a Problem is Smishing?
Smishing already poses a huge threat, but that threat is growing as people spend more time communicating on their devices. In some cases, it may even work better than conventional phishing. This is true for a variety of reasons:
Opportunity: With an estimated 280 million active cell phones in the US alone, anyone could be a potential victim.
Texts are Shorter: Texts are generally quick and easy to read. This works to the sender’s advantage, since a lack of information can drive curiosity, or lead a victim to act without thinking fully.
It’s Easy: in the US, Phone numbers all follow the same pattern: (123) 456-7890. A simple calculator can easily produce every possible combination to use with an automated texting
Texts Get Read: Check your email. How many messages are waiting on a response? Or worse, haven’t even been read? Compare that to your texts, and you can start to see the benefit.
We’re Distracted: If we’re otherwise engaged when we receive a text – and we usually are – we may respond without thinking.
Social Media: Social media accounts are often connected to phone numbers, corporate accounts, and more. This can make it easier to make a message sound convincing.
Red Flags of Smishing
One of the most important steps in smishing protection is to recognize some of the warning signs. For businesses, this means making sure your staff is aware of some of the triggers.
Obviously, none of these conclusively prove that a message is fraudulent. But, when taken together, they might be cause for closer examination:
How to Defend Against Smishing Attacks
So, what should you do if you receive a strange text message, and suspect it may be a smishing attempt? Here are a few recommendations:
- Respond Visa Official Channels: If you have any doubts at all about a text’s legitimacy, contact the alleged sender directly using official channels.
- Don’t Engage: Any prompt to reply, even something as simple as texting “STOP” to unsubscribe, can be a trick to identify active phone numbers.
- Check the Phone Number: Does the sender’s number seem legitimate? Scammers have an entire range of tactics to mask their phone numbers.
- Slow down: Stop and consider urgent account updates and limited-time offers. Is it really important to act in that moment? Does the threat make sense?
The threat from smishing continues to grow, and that probably won’t change. But, there is no better tool to use against smishing than education. You need to teaching yourself, as well as your employees, to identify, report, and negate smishing threats.
Of course, there’s a lot more to fraud prevention than identifying smishing attacks. True fraud prevention and risk mitigation require a more comprehensive approach. If you’d like to know more, contact Chargebacks911® today.
FAQs
What is smishing vs. phishing?
While both are electronic attacks that aim to steal personal (or company) information, phishing often does so through emails and links. Smishing uses text messages or popular messaging apps, specifically.
What is an example of smishing?
In one common type of smishing, the victim will receive a vague text claiming a package could not be delivered, along with a link to respond. Clicking the link downloads malware on the victim’s phone, or may lead to a bogus site requesting personal information in order to “confirm” delivery information.
What happens if you click on a smishing text?
Clicking on a smisher’s link may take the victim to a fake website and attempt to gain their personal details. It could also infect the victim’s mobile device with malware designed to steal personal or financial information stored on the device. This type of software can continue to send messages back to the fraudster until it is discovered.
What are the red flags for smishing?
A few of the warning signs of smishing include: claiming to be from a legitimate source but requesting personal information; the presence of suspicious URLs; demands for an immediate response; emotional requests for money or information; offers for unexpected prizes or rewards.
Can hackers get into your phone by text messages?
Yes. Hackers can exploit vulnerabilities in both iOS and Android operating systems to gain unauthorized access to stored personal information on your phone. That said, current techniques require the victim to actively click a link or call-through number.
