What is smishing and how to prevent it

In 2022, the FTC reported that US consumers lost $330 million to fraudulent texts. Not just individuals are affected; a staggering 74% of organizations worldwide reported experiencing smishing. In 2023, the Bank of Valletta (BOV) was even held responsible for a smishing scam that led to its clients losing money.

This shows that smishing is one of the biggest threats to the mobile industry today. It’s essential to understand what smishing is and how it works, but it’s equally important to know how to prevent it.

If you’re already familiar with smishing, you can skip right to the prevention chapter here.

Smishing has become increasingly popular among cybercriminals primarily because of two reasons:

Effective smishing attacks rely on a recipient taking an action, such as clicking on a link in an SMS message that takes them to a fake landing page or submitting private information by return SMS.

Popular scam tactics include impersonating trusted brands or using multi-stage social engineering tactics that exploit harvested data or information, which could be anything from a name and address to an account number.

Scammers are also very good at adapting, unscrupulously using current events like the war in Ukraine or a crypto crash to legitimize their scams.

There are broadly three types of smishing attacks, ranging from borderline-legal guerrilla marketing tactics to sophisticated multi-stage criminal attacks that can have a significant financial impact on victims.

The one thing all smishing attacks have in common is a strong prompt for the recipient to act quickly. Usually, they offer something attractive or alert the recipient to something bad that could cost much or cause embarrassment if not done soon. The sense of urgency encourages victims to act immediately without giving it much thought.

Starting on the less sophisticated (and less plausible) end of the spectrum, we have all received messages that promise an unexpected boost to our bank balances. These range from lottery wins to inheritances from unknown relatives or even Nigerian royalty. The carrot of a big pay day is often enough to make people drop their guard and click on a link or provide personal information.

This approach has grown in prominence over the past two years as more people shop online and retailers rush to roll out new SMS notification use cases. Fraudsters have quickly exploited this opportunity and created very realistic messages from retailers and delivery companies that flag ‘an issue with your delivery.’ They may ask the recipient to pay additional delivery charges or enter their login credentials to get more information about the problem.

Ironically, one of the most successful smishing tactics is for fraudsters to mimic a message from a bank flagging unusual activity on the customer’s account. These messages are easy to copy as they follow a consistent format and as there are a limited number of retail banks, there is a high probability that recipients will recognize their own bank as the sender.

The message will likely encourage the person to change their password to prevent any further fraudulent activity. Clicking on a link in the message takes the user to a fake login page where they are asked for their login credentials to change their password.

With these details, criminals have a window of opportunity to log in and transfer money from the account before the victim notices. Many banks are becoming wise to this tactic and incorporating 2FA checks when an account is accessed from a new device, or the requested amount goes above a certain threshold.

This approach uses some very basic social engineering tactics to improve the effectiveness of the smishing attack exponentially. If a message includes the name and details of a person we know and trust, then we are far more likely to believe that it is legitimate.

All the scammers have to do is scrape victims’ social media accounts to find out who their close friends or business acquaintances are. They then use this information, perhaps by offering them a job, an unmissable business opportunity, or an invitation to an event that would be right up their street.

People seem to lose their sense of perspective when faced with the possibility that there is an unflattering picture of them on the internet. A very successful tactic has been SMS messages that claim to be from a social-media Samaritan alerting the person about something they wouldn’t like: “You won’t believe the photo that John tagged you in on Facebook! Check this out….”

When a prominent event in the news occurs, such as elections, a natural disaster, a war, or a refugee crisis, scammers exploit it to persuade people to donate money or provide personal information that can then be used fraudulently.

Smishing prevention starts with mobile operators (MNOs), who can deploy various anti-fraud solutions to protect their networks against various types of SMS fraud. They play a crucial role in safeguarding the security of mobile users.

In Poland, for instance, there is a law called The Act on Combating Abuses in Electronic Communication (CAECA), which came into effect in 2023. It requires mobile operators to:

Not complying with these obligations could result in a fine of up to 3% of their revenue generated in the previous calendar year.

In the UK, leading telecom providers and the government are working together to combat fraud under the Telecommunications Fraud Sector Charter, through coordinated actions and solutions adhering to legal and data protection obligations. The actions defined by the charter include implementing additional techniques to block smishing:

NAB, an Australian bank, has also taken an active approach to combating fraud. It is placing the bank’s phone numbers on the ‘Do Not Originate’ list to help reduce scam calls impersonating the bank. They have also added additional protections to reduce scam messages appearing in legitimate bank text message threads, making it difficult for scammers to replicate NAB’s phone number.

Implementation of SMS firewalls is a crucial step in defense against smishing and other types of fraud. At Infobip, we already work with over 120 MNOs around the globe, helping them protect over 1.1 billion mobile users with an advanced SMS firewall that offers several key features:

In addition to an SMS firewall, we employ a straightforward plug-and-play solution called Signals. This tool is particularly effective for OTP traffic, employing a combination of strategies to identify and halt fraud. Signals monitors for unusual patterns and behaviors, uses data analysis to evaluate risks, and leverages machine learning to block fraudulent traffic in real time.

Here are some recommendations from the Federal Communications Commission (FCC) on how to protect yourself against smishing attempts:

The rise in smishing attacks will erode confidence in SMS, causing individual users and brands to move away from this channel. This will reduce revenue opportunities for players within the messaging ecosystem, all of which have a part to play:

Mobile operators bear a significant responsibility as they are the first line of defense against fraud. By protecting their networks, they can prevent these fraudulent messages from reaching users in the first place.

To do so, they need to collaborate with vendors capable of providing advanced anti-fraud solutions. With this, they not only safeguard their customers but also ensure the sustainability of their business revenue from A2P SMS in the long run.

This blog was originally published on August 31^st 2022, and last updated on April 15^th 2024. Updates include adding various examples of smishing attacks, and a new chapter on smishing prevention.