Fraud and security
What is smishing? SMS phishing explained
Fraud and security
Share to
Much like the internet itself, cybercriminals seemingly never sleep. These scammers are on a never-ending quest to exploit individuals, businesses, and data for monetary gains. And one of their most pernicious forms of fraud is called smishing.
In just six months in 2021, smishing attacks spiked over 700%, costing victims over $10 billion. Victims range from individuals to businesses whose employees fall victim while using company software and communication channels. Alarmingly, the threat landscape continued to evolve in 2022, with three in four IT professionals worldwide reporting that their organization had encountered smishing attacks that year.
In this article, weāll define smishing, explain how it works, provide a few examples, and show you how to protect yourself and your business from getting tricked by scammers.
Smishing, short for SMS phishing, is an attempt to trick or manipulate individuals or businesses into revealing sensitive or valuable personal information through SMS and other forms of text messaging.
Smishers do this by impersonating real businesses (like delivery services, utility companies, financial institutions, or goverment agencies) or trusted contacts and sending fraudulent text messages to mobile phones. Exploiting trust, they trick victims into revealing personal data or business-related information, including names, dates, credit card information, financial information, social security numbers, login credentials, and passwords. They then sell that data on the black market or use it for identity theft, siphoning money from bank accounts or rerouting payments into their own pockets.
Scammers choose smishing over other types of phishing attacks for various reasons. One of the most important reasons they choose smishing is that SMS click-through rates hover around 20%, compared to emailās 3-5%. Gartner reports that SMS response rates are as high as 45%, meaning recipients are more likely to engage with an SMS than an email, which has a 6% average response rate. Additionally, scammers can mask the origins of smishing messages using tactics like spoofing or text-to-email software.
Smishing is a form of phishing. It refers specifically to phishing attacks that happen over SMS or other messaging channels (SMS + phishing = smishing).
Phishing attacks have been around for a long time (the first one is thought to have originated in 1995!), and they happen over a variety of communication channels and devices. Most phishing attacks have a few things in common: they typically involve deceptive tactics to trick individuals into revealing sensitive information, they often use a sense of urgency or fear to manipulate the recipientās emotions, and frequently use websites or links that appear legitimate.
In the world of phishing, scammers present themselves as a real and legitimate business or person that the victim is likely to trust, and they use that to get them to reveal personal details that they can use to gain access to their banking information, costing the victim a lot of money and frustration.
Phishing can happen over phone (and often called āvishingā), email, social platforms, fraudulent websites, and many other channels. It can involve links to click, forms to fill out, or just talking to an actual fraudster on the phone.
Smishing attacks arenāt always random, and sometimes businesses or individuals can be targeted for specific malicious intent. For smishing to work, a scammer will first need your phone number, and there are a variety of ways they can get it ā data breaches are common sources, but sometimes a scammer will just guess numbers in particular area codes. In densely populated areas, theyāre going to get some hits.
Once they have that, the cyberattack can commence. Hereās what happens from the victimās perspective.
First, the victim receives a message that appears to be from a legitimate company. It could appear to be from a bank, PayPal, Amazon, a credit card company, another company that does business with the victimās company, a government entity, and many other sources.
Often, the phone number or other identifying information looks the same as or close enough to pass for a sender the victim trusts.
Smishing messages share common features: The message will inform the recipient that they need to click a link, fill out a form, verify their address or login information, or even call or text in order to deal with whatever situation has been invented to trick them.
Typically, these scams include some sense of urgency; thereās an important situation that requires immediate action. Sometimes, it will even tell them their account has been compromised by hackers and that they need to change their login information.
Next, if the victim doesnāt understand that this message is fraudulent, they may click or respond to it, thinking they need to take action now since they trust the sender.
If the message has one or more malicious links (the link itself may be the scam), clicking on it causes malware or spyware to be downloaded to their mobile device. In that case, nothing will appear to have happened. But now, an attacker has installed spyware on the victimās smartphone and will be able to monitor their keystrokes and determine their passwords and other sensitive information. Later on, the victim may notice that a lot of money was taken from their account and wonder how they were compromised.
Clicking the link included in the smishing text may also take the victim to a website that looks like it belongs to the sender, such as a bank. The page will have a form or a survey to fill out. And once they do, the fraudsters have enough information to steal or commit fraud.
With personal information in-hand, the scammers do everything they can to ruin the victimās life for their own benefit. The longer they have the victimās personal data without them realizing it, the more damage the scammer can do.
Depending on what personal information the victim shared with them, the attacker may be able to steal from them immediately. Or, they may be connected to networks where they can sell private information on backchannel websites.
In that case, the victim could be scammed by multiple people before they even realize whatās happening.
Smishing is just one of many types of cybercrime, but itās one of the worst ones because of how real some of these messages appear to be. Even people who have heard of smishing scams have been known to become victims because theyāre so difficult to spot.
Here are the common warning signs that a text message may be a smishing attempt:
If a well-known company sends you a text message ā and you opted into receiving texts from them ā any phone number they contact you with should be easy to verify. Be wary of messages originating from unfamiliar or suspicious sources, especially if they contain urgent requests, unsolicited offers, or links to click.
For example, if Amazon sends you an email saying your package couldnāt be delivered and you need to verify your address, theyāre not going to give you a phone number using your local area code.
Keep note: smishers sometimes use masked sender numbers to obscure their true identities, making it crucial for you to exercise caution and verify the authenticity of any unexpected messages.
Another hallmark of smishing scams is spelling and grammar errors. Scammers often rush their messages and struggle to put together even a few coherent sentences without making obvious grammar mistakes. However, itās also essential to know that scammers have become increasingly proficient, using AI to generate remarkably realistic messages that look like they were written by a human.
Remember that reputable organizations and individuals usually take care to communicate clearly and professionally. Any message with misspelled words, awkward sentence structures, or language mistakes should be treated with suspicion.
Another way to spot smishing scams is to study the link they want you to click.
You might see extra short links that are hard to decipher, or links obscured by other graphics in the text. You may also notice an extra character thrown into a link, such as āpaypall.comā. That extra ālā is a dead giveaway.
Sometimes there will be extra characters elsewhere, separated by dots to make it seem more technical. For example, in the example below, you might notice that the URL is ābr1ckbank.comā when the legitimate bank would be called āBrick Bank.ā This illustrates the kind of small yet suspicious changes to URLs that scammers often use to trick people into clicking them.
Here are some types of smishing attacks that scammers may use to deceive and defraud you under the guise of someone you trust:
Picture this: You get a notification that your account has been compromised and you need to re-verify your information and change your password.
Itās important to question the legitimacy of such claims. These fake security alerts are a classic smishing tactic precisely because they grab your attention. Scammers aim to deceive you into sharing your existing login credentials.
If you do end up sharing your login credentials, the scammer can now change your real password and you wonāt be able to get into your own account.
Everyone likes to win, so scammers prey on that desire by sending out texts that look like theyāre from companies you trust announcing that youāve won a gift card or some other contest. All you have to do is fill out a form to verify your information, and the prize will be yours.
Except thereās no prize. And once you fill out that form, the scammer has your information.
āYour package couldnāt be delivered and we need to re-verify your address.ā This is a common shipping scam message. In fact, most major carriers get impersonated by smishers regularly. Watch out for shipping scams pretending to be from UPS, FedEx, and major e-commerce retailers like Amazon.
Related to the shipping scams are invoice scams. Youāll get an invoice that appears to be from a trusted source like PayPal or a reputable shipping company, claiming you owe them money.
But the invoice is fake, and if you pay it, not only do they get your money, but they have your credit card numbers and other data to extract more from your accounts. Afterwards, they may sell your information on the dark web as well.
Unfortunately, scammers have found a way to exploit multi-factor authentication. In this scam, youāll get a text saying you need to enter a verification code to confirm that some event has happened. It could be a money transfer, a purchase, a password change, or some other event that needs verification.
But the reality is, no genuine event happened in the first place. And once you unwittingly confirm this request, the scammers have whatever information you just gave them, potentially granting them access to your accounts and personal data.
This is a rather urgent and unsettling tactic from fraudsters who impersonate tax authorities. They might send messages saying that you owe money on your taxes, and that there will be dire consequences if you donāt settle your debts soon. However, itās important to recognize that government agencies typically donāt operate like this, and if you do owe money, theyāre not going to send you a text message. When you genuinely owe taxes, the governmentās approach will be more formal ā like a written letter in the mail, or other methods of communication.
On the flip side, another tax-related scheme might say that you have an unclaimed tax refund. Instead of fear, youāre motivated by the allure of a sudden cash windfall to respond.
In both cases, itās crucial to discern that these communications arenāt from government agencies, and if you respond, you risk placing your personal information into the hands of fraudsters with malicious intent.
Financial alert scams might aim to inform you about recent or impending events related to your bank or credit card accounts via SMS.
These alerts often reference different scenarios, like money transfers from or to your accounts, changes to your account, new benefits or special offers that are only available for a limited time, and that you need to do some immediate action. Make sure to stay vigilant and verify the authenticity of such messages to safeguard your financial security.
The ātrusted friendā scam is a particularly difficult one to spot if youāre not paying attention. If a friend or work colleagueās information has been compromised, the scammer may be able to send you a message that really is from their phone number.
They may tell you about a family emergency they need help with, or a contest they just won, or some other message. If it doesnāt sound like something your friend or colleague would send, itās probably because they didnāt.
Youāll learn how to deal with suspicious texts like this in the next section.
This encompasses any other suspicious message via SMS. If youāre contacted via text message and are asked for sensitive data, or asked to click on a link but the explanation for why just doesnāt seem right, itās probably a scam.
The bottom line: Very few legitimate companies will ever request sensitive information via text messages. Reputable companies are aware of the significant fraud risks associated with this and, as a result, refrain from doing it.
Remember, as a company, there are two ways smishing can hurt you. It can hurt your individual employees, and it can hurt your entire company. It depends on the nature of the cyberattack.
If the smishing attack includes a link that uploads malware or ransomware to your company systems, the attackers could gain access to contact information of your employees and other private information.
This is one way smishers send texts that look like they are from people you know. They compromise that personās information, and use your trust in them to try to trick you into sharing valuable personal data.
So, what can you do to prevent smishing attacks? Here are a few options.
First, the simplest thing to do is to do nothing. If you donāt know the sender, donāt respond. Donāt click. Donāt do anything on impulse or without thinking.
If the senders appear to be legitimate but youāre suspicious and donāt know how to verify it on your own, call the real company, organization, or person and verify it directly with them.
Some scams might include particular words, phrases, or other information thatās unique enough to search for them online. For scams that have been around a bit longer, which includes most of them since scammers arenāt creative enough to keep trying new ones every week, you may be able to find blog posts and comment threads exposing that particular scam for what it is.
So, if you canāt verify it with the company or institution, try doing a web search using information from the text itself.
If youāre pretty sure itās a scam, just delete it. If itās legitimate, you can be sure the company will attempt to contact you again if itās that important.
Lastly, for companies, donāt leave your employees to fend for themselves. Itās essential to proactively create training programs that walk through what to look for and how to respond when they get a suspicious text message.
Emphasize the hard-to-spot smishing scams that may come from business colleagues or other companies youāve done business with in the past.
Encourage employees to report any smishing attempts or other security concerns to the internal security team. Remember that collective awareness and swift reporting can be your organizationās first line of defense against smishing.
As a side note, you can also begin to advocate forsolutions at the policy level, as smishing and other messaging scams are a global problem.
SMS is an amazing communication tool for businesses, offering a direct and efficient way to engage with customers and employees. However, itās important for all of us to be wary of texts from unfamiliar companies and stay vigilant against the threat of smishing.
Here are a few key takeaways to pass on to your employees about SMS phishing:
Training your employees is just one of many things businesses can do to prevent SMS phishing. This entails educating both employees and recipients about tactics employed by fraudsters, and enhancing cybersecurity measures to detect and thwart smishing and related scams like SIM farm fraud.
Check out our resources to help your business prevent fraud in business messaging. Or, learn about how Sinch SMS for operators can help you mitigate SMS fraud.
