What is SMS Phishing (Smishing)?

SMS phishing, also known as smishing uses text messages to deliver messages to bait people to expose their details. Smishing attacks typically invite the user to click on a landing page. The landing page is designed to extract the private data and credentials to other websites. Several factors have made smishing an attractive option to bait innocent peoples.

First, sending bulk messages is easier and unlike the e-mail systems, cross-checking the identity of the sender is quite rudimentary. Secondly, even an advanced user likely to read a text message ignoring the chance of spam.
Furthermore, due to the nature of mobile browsers, URLs may not be fully displayed.

All of these factors together may make it more difficult to identify an illegitimate login page. Now the mobile phone market is full of smartphones with fast internet connectivity. So the chance to open a malicious link sent via SMS can yield “better” result when compared with a spam email. SMS text message phishing aka smishing – is a threat to your data and your bank account. Also, the malicious SMS may lead to end-up installing malware on your device or unwillingly supporting criminal hackers with money. Traditional phishing has plagued internet users since the 1990s. Smishing, on the other hand, is a phenomenon of the late 2000s. The term represents a combination of SMS and phishing – but it is generally understood to include attempts at fraud that are initiated via messenger services (such as iMessage or WeChat) that are not based on the short message system protocol. Smishing has been a particularly profitable attack vector for cybercriminals since smartphones became ubiquitous. Vishing (phishing by voice call) is also a phishing variant – however, this attack method is based on voice calls.

Types of SMS Phishing

In practice, smishing attacks can be classified into three different categories, which differ in terms of their criminally motivating objectives:

Attempts to steal login data: Smishing attacks can aim to steal login data for online accounts. Online banking access in particular is of interest to criminal hackers. Paradoxically, the cybercriminals regularly try to profit from the fear of being hacked: They send SMS or text messages that supposedly come from the victim’s bank.

This process is also known as “bank smishing”. These messages “warn” their recipients of large charges or unknown payees and provide a phone number or link to prevent potentially unauthorized access to the bank account. The link usually leads to a fake website and the phone number directly to the cybercriminal – in both cases the aim is to persuade the victims to reveal their usernames and passwords to subsequently plunder their accounts.

Bank smishing is successful for several reasons: Some financial institutions send SMS or text messages warning of suspicious account activity. Real messages of this kind can usually be recognized by the fact that they usually contain information known to the financial institution (for example the last four digits of your credit card or account number). Direct links and vague references to “Your Account” should, however, make you suspicious. If you are not sure about the authenticity of the message: Log into your account in the normal way using your browser or app – under no circumstances click on a link in an SMS or text message.

Another reason for the success rate of bank smishing attacks is the cybercriminals’ obfuscation tactics: the sender’s phone numbers can be hidden or faked using certain methods – sometimes with relatively simple means, such as sending the message from a computer. If such messages are automatically assigned to the legitimate sender number on the smartphone, the probability of success of a smishing attack increases many times over.

Attempts to spread malware: This type of smishing is based on classic e-mail phishing – but adapts techniques that are specially tailored to mobile users and devices. Smishing attacks to spread malware are less common, as the security precautions on smartphones – especially in the case of Apple’s iOS – meanwhile make it relatively difficult to install unsigned or unverified apps. However, especially with Android devices, there is the option of sideloading the app – the only solution here is healthy mistrust if you are prompted to install an app via SMS or text message.

Attempts to collect sums of money: This type of smishing attack is less a matter for tech-savvy cybercriminals – it is more of a clumsy trickster. Nevertheless, such attempts pose a risk – especially for less tech-savvy people. In one case, a victim was contacted by fraudsters posing as personal acquaintances (names likely to have been found on social media) and promising a cash grant in the form of a government grant. In truth, it was a classic fraud: the victim was supposed to pay a fee of a few hundred dollars before paying out.