Many people are aware of the dangers of phishing emails and phone scams and can even provide examples of when they've been targeted by such a scam. Most phones can even block potentially malicious callers or alert you to "potential spam" before you even answer the phone. Unfortunately, not as many people or company CEOs are aware of the potential dangers of an attack that sneaks under the radar through an unassuming text message.
Smishing is a lesser-known form of social engineering attack that can be just as dangerous as the most sophisticated phishing email. These attacks often catch targets by surprise, seem more authentic, and are tempting to respond to in the spur of the moment. Like phishing attacks, smishing is designed to gather personal information or convince the target to download malware. Smishing may be used in conjunction with a phishing email or other correspondence or it may be used alone. A single message can be used to wipe out a personal bank account, provide access to a company network, or transfer large sums of money.
Smishing attacks typically target smartphones. As a result, they seem like personal correspondence and fall under the radar of your cybersecurity system. So how can you protect yourself and your business against the dangers of smishing attacks? This guide will help you understand how smishing attacks work, how to identify these scams, and steps to take if you think you've been targeted.
What is Smishing?
The term smishing is a mash-up of the words SMS and phishing. Just like the name sounds, smishing is a phishing attack carried out by short message service (SMS), more commonly known as text. Instead of using email to deceive intended targets, the attacker uses a deceptive text. On the surface, it may seem like a ploy likely to fail quickly. Yet, when you consider the popularity of smartphones and the high usage of text for convenient communication, the potential becomes more clear. More than 87 billion spam texts were sent to U.S. phone users in 2021, and consumers reported a total loss of $86 million (an average $800 loss) because of text messages. Smishing is a present and growing threat that is not likely to go away like a passing trend.
A smishing attack begins with a text from an individual or company that appears to be a trusted sender. The message usually includes a link or phone number so the user can take action quickly. Clicking on the link in a smishing message often takes you to a fake website where attackers are waiting for you to enter your sensitive information. Delivery scams in which attackers impersonate Amazon, FedEx, and the U.S. Postal Service are some of the most common types of smishing attacks. However, some particularly dangerous attacks appear to come from your bank or an authority figure within your company.
Why is smishing effective? From the easy method of contact to the brief nature of text messages, there are many advantages to targeting victims through a text message. An attacker only needs the phone number of a potential victim to make contact. Even worse, the sender is only traceable through the associated numbers they use. While 75% of Americans never answer calls from unidentified numbers, the open rate of text messages is about 98%, making text messages a much more lucrative method of attack. Smartphone users often have the device on their person most of the time and are more likely to answer a text than other forms of communication while distracted by other activities. The brevity of a text message can even provide an advantage by limiting the potential for mistakes and further arousing the target's curiosity.
Smishing messages are easy to fall victim to and can have grave consequences. Victims can be fooled into furnishing login credentials to their bank account or paying for goods and services they never receive. In a business environment, employees can be fooled into providing access to the company network, transferring company funds, revealing sensitive intellectual property, or providing access to sensitive customer and employee personal information. Any crime that can be accomplished through a phishing email can likely be replicated in a smishing attack, and the resulting damage can be equally severe.
Examples of Smishing Attacks
Learning about smishing attacks can be a sobering experience. Text messages are a convenient form of communication that helps you streamline personal and business tasks for a more efficient schedule. The good news is, you don't have to stop using text messages to avoid smishing attacks. By learning about common attacks, you can more easily identify when you are the target of a smishing message.
- Delivery Scams: A message appearing to come from a reputable company like FedEx or Amazon sends a message with a link to track an incoming package or make arrangements for delivery. Even when not expecting a package, many targets check linked information out of curiosity.
- Bank Scams: A message that appears to come from your bank alerts you to suspicious activity on your account or that you need to provide proof of identification to address a problem.
- "Lottery" Scams: "You've won!" Any message that falsely claims you've won money, goods, or services from a contest is referred to as a lottery scam. The message will redirect you to a fake website where you can enter personal details to claim your prize.
- Government Impersonation Scams: A message that appears to come from a government agency like the IRS alerting the target to unpaid taxes. Urgency is added with the threat of fines and penalties.
- Company-wide Password Scams: A message is sent out to all employees to require a password update on a company platform.
- Fake Verification Message: A message from Google or Apple states the company is verifying your phone number and includes a link for the user to learn more.
- Payroll Update Scam: A message alerts all employees that the company is changing payroll providers and employees must update W-2 information. Urgency is added with the impression that paychecks might be delayed for employees who don't act in a timely manner.
- Fake Tech Support Message: This sophisticated attack requires the hacker to interact with the target and their active account. The target receives a text appearing to come from a trusted company suggesting that suspicious activity has occurred, so a verification code will be sent to confirm your identity. While you wait for the verification code, the hacker attempts to sign into your account but uses the "forgot password" option. When you send the verification code, the hacker uses it to log into your account and take control.
How To Identify a Smishing Attack
After exploring some examples, it's easy to understand how smishing attacks can be easy to fall for. However, when you learn more about the anatomy of a smishing message, recognizing them becomes easier. Smishing messages have similar characteristics, and there are ways you can avoid falling for them.
Characteristics of a Smishing Attack
- They're unexpected. It's common to receive updates about a package you ordered, but a message about a package you didn't actually order should raise red flags. Similarly, if you're not having difficulty with an account, a message out of the blue is likely to be a scam.
- The message is urgent or threatening. A message from the IRS might threaten legal penalties if the target doesn't meet a deadline. A text from an active account might suggest you'll lose access to the account if you don't take action immediately. In reality, a legitimate business would never use threatening language or set unreasonable deadlines. Furthermore, government agencies don't communicate through text messages.
- Comes from an unfamiliar sender. An attacker may address you by your name and use familiar language when you don't recognize the sender as an individual or company you associate with.
- It's an unusual communication method for the sender. We mentioned that government agencies don't communicate through text. This is also a big indicator in the workplace. Employees should be suspicious of a text if it's not the typical communication method for the sender.
Tips for Avoiding Smishing Attacks
- Check the sender's phone number. If you receive a text from a known source, check the sender's number to confirm it's the number you're familiar with.
- Avoid the urge to click. Don't click on a link in a text message. Just clicking the link could introduce malware to your device.
- Do not share personal information with the sender of an unsolicited text. If you receive a text that appears to come from a known source, verify the request through a different communication method before providing information.
- Don't reply to suspicious text messages. Clicking a link isn't the only danger in a smishing message. Avoid interacting with the hacker in the form of a response. Even texting "stop" to avoid future messages could make you the target of new attacks.
- Keep your phone's operating system up to date. Each update to your phone can include enhanced security features. These features can help block known spam numbers.
- Don't use information from the text for confirmation. If you're unsure about whether a message is legitimate, avoid using information from the text for confirmation. Instead, call or email the company directly to learn more about the message.
How To Protect Yourself from a Smishing Attack
Being the recipient of a smishing message doesn't automatically make you a victim. Even if you read the message and didn't take any action, you're likely safe from any damage. So how can you protect yourself from becoming a victim? These are the steps you should take if you receive a smishing message.
- Use two-factor authentication to protect your accounts before you become a target.
- Don't click on links or answer suspicious text messages.
- Don't call unknown numbers included in unsolicited texts.
- Educate employees about company communications to avoid business-based smishing attacks.
- Beware of texts that claim to be from the government.
- Forward unwanted texts to 7726 to send the messages to your carrier's spam department.
- Block messages from the sender.
- Delete all suspicious texts.
- Report the attack by submitting a report to the FCC or the Federal Trade Commission. If the attack is related to organizational correspondence, make sure to alert supervisors within your company.
Smishing attacks don't only target individuals for personal information or login credentials. They can cause major damage when used against a business. However, there are ways you can prepare your business to identify and avoid smishing attacks.
Begin by building awareness with education and smishing simulations. These programs provide accurate examples of realistic attacks. They also educate employees on how to identify and react appropriately to these attacks. Implement organization-wide multi-factor authentication to prevent hackers from gaining network access as a result of employee response to a smishing message. If you suspect your business is a victim of a smishing attack, immediately contact the FTC to file a complaint. By filing a report, you can spread knowledge about new forms of attack.
Take Steps to Avoid Becoming a Victim of Smishing
Like other social engineering scams, smishing attacks rely on human response for success. While these attacks are often sophisticated and extremely convincing, preparation can help you protect yourself and your business from smishing scams. Education is the best form of protection against any social engineering attack. To protect your business, it's essential to ensure all employees are familiar with modern smishing attacks and the proper forms of communication within your organization.
Cyber attacks are constantly evolving and attackers work continually to find new ways to infiltrate business networks. To protect your business against modern cyber attacks, it's essential to develop a culture of security. It's true that smishing attacks prey on human emotions. However, they are usually the beginning steps of a larger attack. Your cybersecurity tools and practices can play an important role in stopping the actions of an attacker after the network is compromised from a smishing attack.
If you're concerned about your organization's vulnerability due to smishing attacks, we can help. Contact the experts at BitLyft to learn more about the dangers of social engineering attacks and how to keep your business safe.