Ever received an SMS giving you false information regarding suspicious transactions from your bank account? Or maybe you received an SMS regarding bills or goods you were supposed to receive or pay for, redirecting you to a page where you input credentials and nothing happened?
These are common Smishing schemes used to manipulate people with fake SMS and steal login credentials, credit card numbers and other useful personal data.
In this article, we’ll have an in-depth view of how Smishing works and how you can protect yourself.
Smishing: When Phishing Went Mobile
The word Smishing is an expression used to describe fraudulent schemes perpetrated through SMS messages. Being a subset of Phishing schemes, SMS and Phishing were pulped into the word Smishing.
The most notorious Smishing schemes evolved from simple SMS containing pretexts to make contact to mimicking legitimate services’ SMS notifications.
The early kind of Smishing was leveraging only irrational emotion and the excessive trust of phone users to make them believe someone with legitimate interest was trying to make contact through SMS. The latter kind of Smishing manages to create a sense of urgency and legitimacy given by the fact that most important services today use SMS notifications to alert users of data breaches and other account-related problems.
Despite the fact that no legitimate service would send links or request information through SMS (at least nowadays), is often overlooked due to the fact that, unlike mail, SMS messages are much more neutral and telegraphic in content and format, thus being optimal for capitalizing on irrational and rushy decisions.
As modern smartphones allow SMS senders to display a name beside the number when sending a message, these schemes are even more compelling, as a legitimate sender’s name would inspire trust at a first superficial read.
There are several Smishing techniques that had been perpetrated for years, in the next sections, you’ll have an overview of which are the most common Smishing schemes and which are the best defence techniques.
Most common Smishing techniques
There are several types of Smishing schemes that can be perpetrated, but you most likely have already encountered (or will encounter) one of these:
- The PayPal Scheme: In this scheme, the text message pretends to be sent from PayPal, informing you that there has been a suspicious activity of some sort o your account, or then again, you are being requested money or offered a refund for some purchase. The endgame is prompting you to click on a link to investigate the matter. The link leads to a fake website that looks like PayPal’s official site, thus prompting you to input your credentials, which will be recorded and used by the Smisher.
- The Package Delivery Scheme: In this scheme, the Smisher sends you an SMS that should look like an automatically generated message, notifying you of a delivery from renowned companies such as FedEx or UPS, prompting you to click on a link that leads to a fake package tracking webpage. The endgame is leading you to give personal information such as mail, physical address, and phone numbers and, in some cases, prompting you to give payment details with the pretext of security deposit or delivery fees.
- The Government Scheme: In this scheme, the text messages you receive the claim to be from a governmental institution, such as e-gov webpages or similar, informing you that you are eligible for a tax refund or that your account will be locked unless you update your personal details. You are offered a link leading, again, to a fake website where you’ll be requested personal information and/or login credentials.
- The Banking Scheme: In this scheme, the Smisher pretends to be a smart banking service, generating an automated message to inform you that your account will either be blocked due to expired credentials or pretending to inform you of suspicious activities (access from an unknown location, fund depletion, multiple password inputs), prompting you to click on a link to investigate the issue or to reply with information regarding your identity and security codes. The endgame is to gain the credentials and second-factor authentication method (security questions and similar) to then access your account and lock you out from it.
Many other schemes can be perpetrated, but these are the most common as they rely on well-known institutions that use, at times, SMS notifications for security purposes and deal with very sensitive information, such as financial and or social security data, thus effectively creating a sense of urgency.
In the next section, a few defence techniques.
How to defend yourself from fake SMS Messages?
It is paramount to prevent the leaking of your personal information online. As Smishers can only make contact with you once they have your name and phone number, it would be sufficient to have control over the online entities that you trust with that information.
In the modern world, however, as much as you can limit to the minimum necessary number of times you’ll trust an entity with your phone numbers, you still will end up leaving that information around the web multiple times. In order to minimize chances, keep in mind that Smishers can get easily phone numbers lists from public sources such as social media, business or educational institutions’ webpages and other commercial entities that are allowed to use your personal information for commercial purposes.
Always check the usage policy of your personal information made by the entity to which you are about to submit that information. Also, be sure to be aware of which websites share information with search engines, making it easier to find and connect your publicly available info through simple web searches.
With that in mind, you still have to be aware that some Smishers use random phone number generators to send batches of scam SMS messages. So in case a Smisher still manages to reach you, apply the following best practice every time you receive an SMS:
- Read the message carefully, especially the ones you did not expect to receive.
- If you suspect that the SMS you received was sent by mistake or if the content surprises you, even if you believe it to be written in good faith, apply maximum scepticism.
- Verify the identity of the sender by checking the number used. You can double-check with SMS previously received whether is a number you can trust or check online. In case of doubt, apply distrust and contact the entity involved in the communication.
- Do not click on any links given in the SMS. No institution or private company would require you to access your account through a link contained in the SMS, as it can be assumed that you can autonomously access it on your own. No issue would be urgent enough to require you to access any webpage from a link contained in an SMS or mail.
- Elements such as haste, urgency, and danger are feelings often exploited with simple but effective pretexts: errors in deliveries, delays in payments, and account compromise are all examples of notifications that should induce you to be sceptic rather than rushy.
These 5 simple steps should become an easy routine every time you receive an SMS. They might feel like an effort in the beginning but they will help you save time soon enough as you’ll end up ignoring scam messages more often than not.
Smishing is a technique that has enjoyed a long-lasting career. Its success has been determined by the inexperience of the average phone user, which means that you can easily counteract it by applying a few key routine actions every time you receive an SMS. Also, you should be aware of potential information leaks on websites you visit and whenever you are prompted to give consent for personal information processing, consider reviewing the consent you are about to give as it might include sharing personal info (such as your name and phone number) with third parties that you have less control on.
Smishing is a phishing technique that uses SMS as a contact channel to scam you into giving up personal information or financial data.
Your phone number could have been leaked for several reasons. Most private institutions tend to inform their customers about data leaks, if you suspect your information was leaked as you received suspicious SMS, check with the institutions that the suspicious contact claims to be.
Contact the institution that the Smisher pretends to be contacting you from, as they might have suffered a data leak. Also, block the sender and avoid clicking on any links or replying.
Smishing SMS usually pretend to be sent from financial or governmental institutions you might be related to, pretending that some urgent issue requiring your attention can be solved by following a link. Any SMS you receive that follows this pattern should be double-checked as it is with a high probability of a Smihing SMS.