What is smishing?
Smishing is a type of electronic fraud, similar to email phishing, where fraudsters send SMS messages to potential victims, pretending to be from legitimate companies, in an attempt to steal personal information or spread malware.
Much like a fisherman using realistic bait to attract a fish to their hook, the fraudster will capture people’s attention with a variety of tactics designed to engage them without arousing their suspicions.
What’s the difference between phishing and smishing?
Smishing is simply the SMS equivalent of phishing in that the ‘bait’ message is delivered by SMS rather than email.
This means that the receiving device will most likely be a mobile rather than a PC, so any malware included in the attack will be designed to infect a mobile device and spread via the phone’s contacts.
Smishing messages will also be delivered via the mobile network rather than the internet, so a different set of security solutions have to be put in place to combat attacks (more on this later).
How does smishing work?
Effective smishing attacks rely on a recipient taking an action that they would not otherwise have done. This could simply be clicking on a link in an SMS message, or submitting private information by return SMS or via a fake landing page.
Scammers have a number of ways of persuading people to take this action, including impersonating trusted brands or using multi-stage social engineering tactics that exploit harvested data or information provided in the initial approach to make the final attack more believable. This could be anything from a name and address to an account number.
There are broadly three types of smishing attacks ranging from borderline-legal guerrilla marketing tactics, all the way through to sophisticated multi-stage criminal attacks that can have significant financial impact on victims.
1. Copycat marketing
In the grey area of the law a business may contact a person pretending to be, or simply suggesting that they are a well-known brand that the person already knows and trusts. The victim in this case is deceived into viewing a product or offer that they would not otherwise have paid any attention to.
Is this a crime? Certainly, it is illegal to directly impersonate a trademarked brand, but unscrupulous companies bend the law by using similar branding and messaging to established businesses.
2. Malware attacks
This type of attack is malicious but has limited sophistication. Again, recipients are fooled into believing that the message is from a legitimate source, but this time the link they are encouraged to click on will download malware onto the device that could infect it and potentially distribute itself automatically via the phone’s contact list.
A recent example of this was the Flubot which targeted android devices and was designed to steal online banking details and other private data. It took an international initiative involving the police forces of eleven countries to put a stop to it.
All modern smart phones whether Android or iOS will have security features that stop the silent downloading of malware, but these features are far less effective when users voluntarily download something or provide their personal data to a third party through deceit.
3. Fake landing pages
The most brazen, sophisticated, and costly form of smishing is where fraudsters mimic messages from legitimate businesses to their customers, encouraging them to visit a fake landing page where they are instructed to enter personal information and login credentials. These details are then stolen and used by criminals to access the real accounts.
These landing pages use one-off or very short-lived URLs which make them almost impossible to trace.
Again, the most successful smishing attacks will include coordinated social engineering tactics that make use of known data to make them more believable. Harvested information will often be stored and used in a later attack. After sufficient time has passed the victim will not put two and two together and realize that they are getting scammed.
How did fraudsters get my mobile number?
Victims of smishing attacks may rightly ask how their number fell into criminal hands. Unfortunately, there are all sorts of ways this can happen as we provide our mobile number to all types of organizations every day of our lives.
- Data breaches: When hackers gain access to an organization’s customer database, the information they steal could include anything from login and password details to addresses, and of course mobile phone numbers. These people may not use the information themselves but sell it on to other criminals that specialize in particular types of fraud. So customers of a particular bank or airline that suffered a data breach may find that months or even years down the line they start getting fraudulent messages once their number has found its way to a smishing specialist.
- Bought lists: Once a mobile number has fallen into the wrong hands it can be added to lists that are then bought and sold on the dark web by scammers.
- Website scraping: You may not know it, but your phone number may be listed in multiple legitimate places on the internet. Anything from old social media profiles, the websites of organizations or clubs that you once belonged to, or on third-party business directories. Fraudsters will use software that continually scans the internet looking for combinations of numbers that look like phone numbers and add these to lists to be sold on.
- Saved form data on your browser: Depending on your browser settings, when you fill out a web form the information that you enter can be saved in memory so that the browser ‘remembers’ your details the next time you fill out a similar form. If this data is not locked down by the browser, it can be found and extracted by malware that then transmits it to external third parties.
- Random number generators: There really is not much that you can do about this. Mobile numbers have a consistent length and format in most countries, so it isn’t difficult for software to generate vast lists of potential phone numbers that can then be verified by automatic dialers. Do you ever get random calls that ring just once? That could be the dialers checking if your number exists.
What are some examples of smishing?
Now that you know what it is, what does a smishing text look like? There are many flavors of message but the one thing they have in common is a strong prompt for the recipient to take an action. Usually they are offering you something attractive, or alerting you to something bad that could cost you financially, or cause embarrassment if you don’t act soon. The sense of urgency encourages victims to act quickly without giving it much thought.
Here are six well known examples – though the list is by no-means exhaustive. Scammers are very good at adapting and unscrupulously using current events like the war in Ukraine or a crypto crash to add legitimacy to their scams.
You’ve won a competition! (that you never entered)
Starting on the less sophisticated (and less plausible) end of the spectrum, we have all had messages that promise an unexpected boost to our bank balances. Ranging from lottery wins to inheritances from unknown relatives or even Nigerian royalty. It seems that the carrot of a big pay day is enough to make some people drop their guard and click on a link or provide personal information.
This approach has grown in prominence over the past two years as so many more people are shopping online, and retailers have rushed to roll out new SMS notification use cases. Fraudsters have been quick to exploit this opportunity and create very realistic messages from retailers and delivery companies that flag ‘an issue with your delivery’. They may ask the recipient to pay additional delivery charges or enter their login credentials to get more information about the problem.
Bank fraud message
Ironically, one of the most successful smishing tactics is for fraudsters to mimic a message from a bank flagging unusual activity on the customer’s account. These messages are easy to copy as they follow a consistent format and as there are a limited number of retail banks, there is a high probability that recipients will recognize their own bank as the sender.
The message will likely encourage the person to change their password to prevent any further fraudulent activity. Clicking on a link in the message takes the user to a fake login page where they are asked for their login credentials to change their password.
With these details the criminals have a window of opportunity to login themselves and transfer money from the account before the victim notices. Many banks are becoming wise to this tactic and incorporating 2FA checks when an account is accessed from a new device, or the requested amount goes above a certain threshold.
The mutual friend/colleague
This approach uses some very basic social engineering tactics to exponentially improve the effectiveness of the smishing attack. If a message includes the name and details of a person we know and trust, then we are far more likely to believe that it is legitimate.
All the scammers have to do is to scrape victims’ social media accounts to work out who their close friends or business acquaintances are, and then use this information. Perhaps by offering them a job, an unmissable business opportunity, or an invitation to an event that would be right up their street.
Social media alert
People seem to lose their sense of perspective when faced with the possibility that there is an unflattering picture of them on the internet. A very successful tactic has been SMS messages that claim to be from a social-media Samaritan alerting the person about something they wouldn’t like :
“You won’t believe the photo that Muhammad tagged you in on Facebook! Check this out….”
The good cause donation
This callous tactic preys on the good intentions of people. When there is a prominent event in the news like a natural disaster, a war, or a refugee crisis, the scammers will use this as a way of persuading people to donate money or provide personal information that can then be used fraudulently.
How telecom providers can prevent smishing
As the sophistication of smishing attacks grows and it becomes even more difficult for mobile subscribers to recognize them, it becomes the responsibility of telecom operators to block them before they reach their customers. It is in their own interest to take a proactive approach. Successful attacks will erode confidence in A2P messaging, causing customers and the brands they buy from to move away from SMS and therefore reduce revenue opportunities.
Luckily mobile operators have an ally in the fight. By partnering with the right vendor they can access both the SMS firewall technology and expertise to help secure their mobile eco-systems. We already work with over 120 telecoms around the globe and help to protect over 1.1 billion mobile users with a rich set of tools that include:
- Links to a continually updated database of malicious URLs that can be automatically blocked in real-time
- Proactive threat detection which uses machine learning to preempt attacks
- Automated responses to identified threats
- Detection of MSISDNs that are not “real customers” based on SIM box detection that can provide MSISDN reputation analysis
Just as important as the features they provide, our SMS firewalls are backed up by a global team of intelligence and security experts. In such a constantly evolving space, it is these people’s job to detect new types of threat and ensure that we can help to protect against it.
Join the growing list of telecom providers that are providing the best possible security for their subscribers.
Talk to a mobile security expert