With over 94% of text messages read and over 45% responded to, it is no wonder why there has been an explosion of “Smishing” (just like e-mail phishing, but by text) in 2020. We have all gotten sick and tired of the daily spam and junk e-mail, so tools and our own common sense have us only opening 20% of the messages that hit our e-mailbox with a response rate of 6%. It makes it hard to “phish” when fewer and fewer are willing to take the bait.
Smishing is a cyberattack that uses misleading text messages to deceive victims. It is a text-message-centric variation of the email-based phishing scams that have been around since the 1990s. But people are often less watchful for suspicious messages on their phones than on their computers. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convincing you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.
The biggest problem from a security perspective is that an SMS sender is not authenticated beyond attached phone numbers. Anyone receiving an SMS can only, at best, be assured at the phone number the SMS message comes from is accurate, and even that is not guaranteed. There are many rogue applications which allow senders to send SMS messages from spoofed or borrowed/shared telephone numbers.
Additionally, URL (Uniform Resource Locator) links sent via SMS are often harder to inspect for security issues without completely loading the web page.
All-in-all, as our online world is increasingly becoming one conducted by smartphones and devices, smishing is growing in popularity with attackers.
General Smishing Examples
Here are some general real-world smishing examples I have received on my smartphone.
1. Fake IRS Scam - This one is attempting to appear as if it is from the U.S. Internal Revenue Service (IRS).
2. Fake Order/Invoice/ Shipping Scam - I received four of these already this Fall, where they appear to be responding to an order I have supposedly created or a shipment that I am supposedly getting. Most people, who have not recently created an order, would be curious about what company is supposedly claiming that they have placed an order and be worried about whether they will somehow be charged or not. And, who does not like to get a package or have their sense of inquiry kick in if they are not expecting one.
3. Series of Fake SMS Order Messages - This sender of fake SMS order messages appears to resend from the same fake originating phone number but claims to be different senders with different URLs. Something doesn't smell right with this example.
4. Fake Google Verification Message - This fake SMS message might appear more realistic because it is using Google’s own URL shortening service (goo.gl).
5. Fake Gift Card Contest SMS Message - This one claims I am a winner of a Walmart gift card, although they apparently have me mixed up with someone called Terrie.
6. Fake Account Activity SMS Message - These almost tricked me. I have been using Apple devices and PayPal for years. When I got these, my senses kicked into overdrive that my financial accounts were being hacked and that I could be a victim of identity theft. Fortunately, my training kicked in and I went directly to the accounts online and logged in securely to find out nothing was compromised…..except my blood pressure.
7. Fake COVID-19 Contact Tracing Alert - Talk about insidious! With the pandemic still spreading, this has been a winner for bad actors. Imagine getting a message that you were named by someone who has tested positive for the virus so you are being contacted by an official source.
Defenses Against Smishing
Although smishing is harder to defend against than regular email phishing attempts, there are defenses that can reduce the risk of successful attacks.
- Smishing Security Awareness Training: The key defense against smishing is security awareness training. Let your co-workers know about the increasing success of SMS-based phishing. Teach everyone about the overall threat and share common examples, along with how to avoid it and defend against it. Share this article as a good start. Telling employees to be suspicious of any unexpected SMS messages from unknown phone numbers is great first advice. Telling users not to respond to unexpected SMS messages, in any way, is a great defense.
- Users Should Report Smishing Attempts: Telling users to report rogue SMS messages to the security person or department is a good recommendation, so that person or department can be aware of the volume of attempts and the types of smishing being reported. A concerted smishing campaign against multiple employees can only be spotted and defended against if it is being reported to a centralized location. Recipients can also consider reporting rogue SMS messages to their cell phone network provider, so the provider can block future attempts from the same sending originator using the same information or method.
- Conduct Simulated Smishing Attacks: Just as you do with simulated email phishing attacks, also do the same with SMS. Send your co-workers a simulated SMS smishing test at least once a month. Provide immediate feedback and training to those who fail the tests. Make simulated smishing tests a part of your normal security awareness training routines. You can no longer afford to avoid training on this subject. Smishing is becoming too popular to ignore any longer.
- When in Doubt, Chicken Out: Tell co-workers and employees not to open short links arriving in unexpected SMS messages. If the employee is unsure about whether the SMS message is real or not, and they want to check by opening the link, they should only be opened in a controlled, safe environment, such as a resettable virtual machine image. That way, if the link points to malicious code, it will not be executing and trying to exploit their device.
- Do not Call Unknown Phone Numbers: The receiver of any unexpected SMS message touting a phone number they should call should never be called on the user’s personal phone. Most of the time, you cannot get exploited by calling any phone number beyond whatever sales pitch they may try on you, but simply calling them gives them your phone number. And once a scammer has your phone number, you can be assured that you’ll get many more rogue SMS messages and malicious voice phone calls (called vishing). If you feel tempted to call to see if the SMS sender is legitimate, call from generalized business number instead of your personal phone call.
- Do not Publicly Post Personal Telephone Numbers: Most rogue SMS messages started because the attacker knew someone’s personal phone number. The online world is just too dangerous for people to be publicly posting their personal phone numbers anymore.
Overall, you want to create a culture of security awareness training and healthy level of skepticism around SMS messaging. Smishers are increasingly using SMS to conduct phishing and spear phishing attacks. Get ahead of the increasing problem by fighting and defending against smishing today. If you have any questions about smishing or defenses, please do not hesitate to contact us!
How to prevent Smishing
There's one more stat to share, and it gets to the heart of how enterprises can help foil smishing attacks: only 17% in the United States run smishing or vishing simulations to help train staff to recognize and react appropriately to these attacks. At the organizations that do run these simulations, the failure rate is 6%. At first that may seem like a small percentage, but all it takes is one employee opening their device to harm one time to launch an attack. You would not except your network being protected only 94% of the time knowing that all businesses are now targeted.
These types of simulations are one of the best ways for enterprises to train their employees on how to avoid being smished. They should form part of your ongoing security awareness training regimen, along with phishing and vishing simulations. Simulated smishing attacks can help you target your training efforts, making it clear whether additional training is needed, and which users are particularly vulnerable.
But if your employer does not run simulations or hold training programs, you can still educate yourself to resist smishing attacks. Here is some common-sense advice:
- Be wary of texts using unnatural or ungrammatical language
- Offers that seem too good to be true usually are
- Do not click embedded links or download apps directly from a text message
- The IRS and Social Security Administration do not communicate via text
River Run also has advice and training on avoiding phishing scams, most of which applies to smishing as well.
Smishing and the FTC
The United States Federal Trade Commission has resources to help fight smishing. The FTC has a page with advice for avoiding these scams. If you think you have been victimized by such a scam, you can use the agency's complaint assistant site to file a complaint and help catch the perpetrators. But hopefully the advice on this page will help you stay one step ahead of the smishers.
River Run’s R-Security offerings are part of a comprehensive strategy that can be tailored for the compliance requirements and recommended stack for your industry and organization. We also offer security awareness training to help you further develop a culture that helps protect you, your employees, your clients, and your data from everything…including how not to get "smished".
Share this article