Smishing is a social engineering technique that uses SMS text messages to attack consumers. Smishing is similar to email phishing but uses SMS rather than email. Have you ever received an email pretending to be from your bank, prompting you to click a link and enter details? This is a typical example of email phishing.
Likewise, if you’ve ever gotten a text from a 5 digit phone number or email address claiming that your bank account has received a deposit for $45,000 and prompts you to click the link to login, this would be a smishing example. Android as well as iPhone users are vulnerable to text message phishing.
The link brings you to a malicious website which will then ask you to provide your details or download malware directly to your device. Want to know how to identify smishing attacks and avoid one? Keep reading!
How Does Smishing Work?
Some common components of smishing attacks are deception and believability. All the criminal has to do is get the victim to trust the context of the text in order to get that click.
Social engineering allows cybercriminals to manipulate a victim’s decision-making. This is made possible by three factors:
- Trust: Posing as legitimate individuals or organizations is the least-suspicious way to lower the target’s skepticism. Since SMS texts are a more personal means of communication, it is only natural for a victim not to raise eyebrows right away.
- Context: Exploiting a relevant situation allows a criminal to build an effective disguise. Often, the messages carry personalized content and tone.
- Emotion: This is one very effective way attackers spur users to action. They heighten the target’s emotions, thereby overriding their critical thinking. This consequently prompts them to act rapidly.
Attackers effectively employ these methods to write messages that cause recipients to take action. In most situations, the attacker typically wants you to open a URL link in the SMS. You’re then directed to a phishing tool or web page promoting you to disclose your private information.
How do smishing attackers find their targets? The commonly known way is through affiliation to an organization or regional location. Other targets include employees or clients of an institution, network subscribers, and even residents of a specific area.
Using a method known as spoofing, an attacker may hide their real phone number behind a decoy. The attack is usually carried out in a stepwise fashion, illustrated below:
- Distribution of the text message “baits” to unsuspecting targets
- Compromising the target’s information through deception
- Execution of the planned theft using the victim’s compromised information.
The smishing scheme is successful when the attacker has used your private information to carry out the planned theft. Some smishing examples are:
- Order confirmation and gift smishing: In September 2020, a smishing campaign went viral, baiting people into providing credit card details for a free iPhone 12. This scheme uses an order confirmation whereby the text message claims a package has been mailed to an incorrect address.
The in-text URL link directs targets to a phishing website posing as an Apple chatbot. The website then guides the victim through a procedure to claim their free iPhone 12. To do that, the victim then must pay a small shipping fee. This is provided through the details of the credit card to be provided.
- Covid-19 smishing: A scandal cropped up in April 2020 were reports of U.S government impersonators were sending out random text messages to people. This message carried content, asking people to take a compulsory covid-19 test via a linked website.
Of course, many people could decipher this as a scam since there weren’t any online tests for covid-19. However, attacks like this have prospects of evolving into more serious scams.
Here are some example smishing messages.
How Do I Identify Smishing Attacks?
Running an iOS and concerned about common smishing signs to look out for? What you should know is that vigilance is the paramount thing. A smishing text may include:
- A link you weren’t expecting
- A text that is providing you information or an update with a “reply YES or reply NO” message
- Congratulations on winning a prize or contest along with a clickable link
- An urgent request to verify your private information via a link or automated mobile number.
Cybercriminals employ highly sophisticated means to make their messages as believable as possible. This is why many people fall for smishing attacks every year. In a study carried out by Lloyds TSB, the sample participants have presented 20 texts, half of which were malicious. Only 18% could correctly identify every fake text.
This says a lot about many people’s discretion. What often makes smishing attacks spectacular is the urgency deployed in the text. Some of them may be a call to action with deadlines or expiration times. Who wouldn’t give in to this? But the truth is, knowing the tricks and techniques helps you stay afloat in such scenarios 99.9% of the time.
For instance, you could easily spot smishing text from their misspelling. Another tell-tale sign is the text addressing you as “Sir” or “Madam.” Real messages from legitimate companies would address you by your full name.
A URL shortener is another common smishing sign to look out for. Unless you’re a techie, you may not know what a URL shortener is. The point is people who receive shortened URLs can’t trace the source. These links usually follow emails or SMS claiming to notify recipients of a canceled cash transfer. Clicking it will only harvest your information.
How Do I Avoid Smishing Attacks?
Check the source
Scammers often imitate famous companies or brands. If you happen to click on a link, keep in mind that web pages can be mimicked. If you’re sure of the sander’s identity, do not hesitate to call your bank for confirmation.
Scammers may sometimes imitate people you know. This could be family members or relatives, or even your boss. If you get such texts claiming to be from people you know. Subject it to inquiry and verification.
Safeguard your iPhone
Most notifications on your iPhone are harmless. Sadly, it takes just one successful smish to compromise your device. Be cautious, trust your instincts, and don’t forget to use security tools designed to prevent smishing attacks.
Smishing attacks are becoming a true menace to combat. As an iPhone user, your inbuilt security protocols do not prevent you from receiving SMS. Hence, you’re open to unlimited messages, some of which could be disguised from bad actors.
Knowing preventive measures to take could go a long way in saving your device and your bank balance from suffering. Use the sections in this article to protect yourself from smishing attacks.