What is smishing and how to prevent it
Learn about smishing, and discover what mobile operators, brands, and users can do to protect themselves against one of today’s biggest threats in the mobile world.
Definition: Smishing, similar to email phishing, is a type of SMS fraud where fraudsters send SMS messages to potential victims, pretending to be from legitimate companies, in an attempt to steal personal information or spread malware.
In 2022, the FTC reported that US consumers lost $330 million to fraudulent texts. Not just individuals are affected; a staggering 74% of organizations worldwide reported experiencing smishing. In 2023, the Bank of Valletta (BOV) was even held responsible for a smishing scam that led to its clients losing money.
This shows that smishing is one of the biggest threats to the mobile industry today. It’s essential to understand what smishing is and how it works, but it’s equally important to know how to prevent it.
If you’re already familiar with smishing, you can skip right to the prevention chapter here.
Smishing explained
Smishing has become increasingly popular among cybercriminals primarily because of two reasons:
- Users’ trust in SMS: SMS messages can have up to 98% open and 45% response rates. Cybercriminals exploit this tendency to trust SMS to trick users into performing actions that compromise security.
- Email oversaturation: Inboxes have become flooded with promotional offers and spam, making people more suspicious of emails, which in turn makes it a less effective medium for fraudsters.
How smishing works
Effective smishing attacks rely on a recipient taking an action, such as clicking on a link in an SMS message that takes them to a fake landing page or submitting private information by return SMS.
Popular scam tactics include impersonating trusted brands or using multi-stage social engineering tactics that exploit harvested data or information, which could be anything from a name and address to an account number.
Scammers are also very good at adapting, unscrupulously using current events like the war in Ukraine or a crypto crash to legitimize their scams.
Types of smishing attacks
There are broadly three types of smishing attacks, ranging from borderline-legal guerrilla marketing tactics to sophisticated multi-stage criminal attacks that can have a significant financial impact on victims.
Examples of smishing attacks
The one thing all smishing attacks have in common is a strong prompt for the recipient to act quickly. Usually, they offer something attractive or alert the recipient to something bad that could cost much or cause embarrassment if not done soon. The sense of urgency encourages victims to act immediately without giving it much thought.
You’ve won a competition! (that you never entered)
Starting on the less sophisticated (and less plausible) end of the spectrum, we have all received messages that promise an unexpected boost to our bank balances. These range from lottery wins to inheritances from unknown relatives or even Nigerian royalty. The carrot of a big pay day is often enough to make people drop their guard and click on a link or provide personal information.
Fake delivery notifications
This approach has grown in prominence over the past two years as more people shop online and retailers rush to roll out new SMS notification use cases. Fraudsters have quickly exploited this opportunity and created very realistic messages from retailers and delivery companies that flag ‘an issue with your delivery.’ They may ask the recipient to pay additional delivery charges or enter their login credentials to get more information about the problem.
Fake bank messages
Ironically, one of the most successful smishing tactics is for fraudsters to mimic a message from a bank flagging unusual activity on the customer’s account. These messages are easy to copy as they follow a consistent format and as there are a limited number of retail banks, there is a high probability that recipients will recognize their own bank as the sender.
The message will likely encourage the person to change their password to prevent any further fraudulent activity. Clicking on a link in the message takes the user to a fake login page where they are asked for their login credentials to change their password.
With these details, criminals have a window of opportunity to log in and transfer money from the account before the victim notices. Many banks are becoming wise to this tactic and incorporating 2FA checks when an account is accessed from a new device, or the requested amount goes above a certain threshold.
The mutual friend/colleague scam
This approach uses some very basic social engineering tactics to improve the effectiveness of the smishing attack exponentially. If a message includes the name and details of a person we know and trust, then we are far more likely to believe that it is legitimate.
All the scammers have to do is scrape victims’ social media accounts to find out who their close friends or business acquaintances are. They then use this information, perhaps by offering them a job, an unmissable business opportunity, or an invitation to an event that would be right up their street.
Fake social media alerts
People seem to lose their sense of perspective when faced with the possibility that there is an unflattering picture of them on the internet. A very successful tactic has been SMS messages that claim to be from a social-media Samaritan alerting the person about something they wouldn’t like: “You won’t believe the photo that John tagged you in on Facebook! Check this out….”
The donations scam
When a prominent event in the news occurs, such as elections, a natural disaster, a war, or a refugee crisis, scammers exploit it to persuade people to donate money or provide personal information that can then be used fraudulently.
How to prevent smishing
Smishing prevention starts with mobile operators (MNOs), who can deploy various anti-fraud solutions to protect their networks against various types of SMS fraud. They play a crucial role in safeguarding the security of mobile users.
In Poland, for instance, there is a law called The Act on Combating Abuses in Electronic Communication (CAECA), which came into effect in 2023. It requires mobile operators to:
- block text messages that qualify as smishing
- block text messages purporting to be from a public institution (based on the name of the sender)
- block calls that conceal the caller ID from the end user
Not complying with these obligations could result in a fine of up to 3% of their revenue generated in the previous calendar year.
In the UK, leading telecom providers and the government are working together to combat fraud under the Telecommunications Fraud Sector Charter, through coordinated actions and solutions adhering to legal and data protection obligations. The actions defined by the charter include implementing additional techniques to block smishing:
NAB, an Australian bank, has also taken an active approach to combating fraud. It is placing the bank’s phone numbers on the ‘Do Not Originate’ list to help reduce scam calls impersonating the bank. They have also added additional protections to reduce scam messages appearing in legitimate bank text message threads, making it difficult for scammers to replicate NAB’s phone number.
Recommendations for MNOs and businesses: implement anti-fraud solutions
Implementation of SMS firewalls is a crucial step in defense against smishing and other types of fraud. At Infobip, we already work with over 120 MNOs around the globe, helping them protect over 1.1 billion mobile users with an advanced SMS firewall that offers several key features:
- real-time blocking of malicious numbers and URLs, thanks to a continually updated database
- proactive threat detection using machine learning to anticipate and prevent fraud attempts
- automated responses to identified threats, enhancing the speed and efficiency of our defense
- detection of MSISDNs that are not linked to “real customers,” facilitated by SIM box detection that enables MSISDN reputation analysis
Read more in this customer story:
In addition to an SMS firewall, we employ a straightforward plug-and-play solution called Signals. This tool is particularly effective for OTP traffic, employing a combination of strategies to identify and halt fraud. Signals monitors for unusual patterns and behaviors, uses data analysis to evaluate risks, and leverages machine learning to block fraudulent traffic in real time.
Recommendations for mobile users: stay vigilant
Here are some recommendations from the Federal Communications Commission (FCC) on how to protect yourself against smishing attempts:
- Avoid unknown links and numbers: Do not click on links, respond to text messages, or call numbers that are unfamiliar to you.
- Ignore requests to stop messages: Even if a message asks you to “text STOP” to cease receiving messages, it’s best not to respond.
- Delete suspicious texts: Any text messages that seem dubious should be deleted immediately.
- Update your device: Ensure that your smart device’s operating system and security applications are always updated to the most recent version.
- Consider anti-malware software: For an additional layer of security, think about installing anti-malware software on your device.
- Use multi-factor authentication: Implement multi-factor authentication to protect sensitive personal information, such as bank accounts, health records, and social media accounts.
Other common questions about smishing
Conclusion: Securing mobile networks is paramount in the fight against smishing
The rise in smishing attacks will erode confidence in SMS, causing individual users and brands to move away from this channel. This will reduce revenue opportunities for players within the messaging ecosystem, all of which have a part to play:
- mobile operators need to adopt solutions to help safeguard their network
- CPaaS providers need to use clean routes and leverage their capabilities to block fraudulent traffic
- businesses need to avoid using grey routes
Mobile operators bear a significant responsibility as they are the first line of defense against fraud. By protecting their networks, they can prevent these fraudulent messages from reaching users in the first place.
To do so, they need to collaborate with vendors capable of providing advanced anti-fraud solutions. With this, they not only safeguard their customers but also ensure the sustainability of their business revenue from A2P SMS in the long run.
This blog was originally published on August 31st 2022, and last updated on April 15th 2024. Updates include adding various examples of smishing attacks, and a new chapter on smishing prevention.
Learn more about Infobip’s anti-fraud solutions
You might be interested in:
Get the latest insights and tips to elevate your business
By subscribing, you consent to receive email marketing communications from INFOBIP. You have the right to withdraw your consent at any time using the unsubscribe link provided in all INFOBIP’s email communications. For more information please read our Privacy Notice