Hackers or other nefarious online criminals send you suspicious links by email or social media or redirect you to cleverly faked websites in order to collect private information. Despite ransomware taking center stage these days, many online criminals are still utilizing various forms of phishing to separate unwary web users from their money. But it’s not just sketchy websites you need to worry about. Phishing has given way to a new type of digital scam: smishing.
What Is Smishing?
Smishing, also known as SMS phishing, is a type of phishing scam that targets victims via SMS/text messages. It attempts to dupe them into handing over sensitive information such as financial information and login credentials, which could then be used to steal money or commit identity fraud.
While it’s difficult to track the first incident of smishing, Google Trends shows at least minimal interest in the term as early as 2004, with a significant spike in 2006. Interest in smishing has gradually increased since then, aided by the growth in smartphones with web browsing capabilities.
For the most part, smishing is just the application of common phishing techniques applied to a mobile device. Cyber criminals will either obtain a phone number from the dark web following a data breach, through web crawlers checking social media posts or even through a random number generator. They’ll then send out text messages asking users to call a number or click on a link. The messages scammers send often involve bank accounts, and in some cases, may even contain most or all of a potential victim’s credit card or bank account number. However, the scams can cover the gamut, and may even involve spoofing companies that are locally known to you.
Overall, what smishers are usually looking for is the missing piece of the puzzle. That could be a social security number, pin number, password, or any other private detail that will help them access your accounts. It’s easy to say “don’t give it to them,” yet many smishing scams are intricately designed to elicit a response. Even if that response is just a tentative and short-lived click on a link.
What Is the Difference between Smishing and Phishing ?
Whereas smishing pursues victims via SMS/text messages, phishing attacks target individuals via emails and purport to be from legitimate senders. They usually contain malicious attachments or links to sites that use drive-by downloads to install malware onto victims’ machines or harvest their credentials.
Examples of Phishing Attacks
The most common types of smishing attacks imitate banks, retailers, HMRC, delivery companies, and technology providers such as Apple or Google. They often use messaging that creates a sense of urgency and plays on the recipient’s emotions. Typically the fear of losing something or eagerness to take advantage of an exclusive offer that features unusually high savings and is only available for a limited time. Such as a message from your bank informing you of suspicious/unusual activity on your account or lack of funds. Or a message from HMRC stating that you are due a tax rebate.
How people fall victim
In this day and age, everything is fast-paced, and people tend to be in a rush to get things done. Especially in the lead-up to the festive season. They skim read, and inadvertently open links out of haste, not stopping to think about what they are doing.
If you do fall victim, you must take immediate steps to protect your information. Such as informing your IT department, changing your password(s) and contacting your bank.
Helpful Tips on Preventing Smishing
At a high level, avoiding smishing scams is simple. Not clicking on links in unfamiliar or unexpected text messages is an easy first step. However, cyber criminals who use smishing scams are full of tricks that are intended to get one of two types of responses: either a click on a link or a response (either by phone or text) to the number sending the message. While you may feel empowered by avoiding any suspicious links, you’ll need to fight the desire to call or text back telling the scammers to stop.
Here are a few tips to avoid falling prey to a smishing scam.
1. Don’t reply to the text message or call the number.
Even if the text message says “text ‘stop’ to stop receiving messages,” never reply. If you are sure the message is coming from scam number, replying may actually result in more messages getting spammed to your phone. The same may be true of calling the number. Often, scammers don’t know if the numbers they’re using are actually active. Providing a response to the message will verify to them that the number is indeed active, leading them to continue and potentially increase the number of scam messages you’re receiving.
A more effective option is to just block the number outright. Unfortunately, some model phones do not include phone blocking in the phone’s software. You may need to install a number blocking app from your phone’s app store.
2. Do a web search of both the number and the message content.
If you’re feeling a bit uneasy about a potential smishing scam, type the number or the message (or both) into a Google search. Chances are, you are not the first person to receive that message. In many cases, you’ll find others posting on various scam number websites. Don’t just trust one negative response or inquiry, however. Look to see if a suspicious number or message has numerous others posting that it’s potentially a scam.
For personal reference, I tend to get a lot of spam and robocalls. My personal favorite site for this is 800notes.com. When I get a call from a suspicious number, I rely on the site to help vet the number of potential scams or spam.
3. If the phishing message is spoofing a company, call the company directly.
Many smishing messages will pretend to be a well-known company, such as a store or bank. If you believe the message is a scam, instead of calling or texting the scam number, look up that company’s customer service number from its official website. Contact the service through that number and inquire about the message you received. If they confirm that it’s not from them, delete it.
4. Don’t click on any links in the message.
All forms of smishing are usually a game of emotional manipulation. Often, scammers don’t need you to overtly give up passwords, pins and social security numbers. At times, all they need to do is pique your interest enough to get you to click on a link and download a virus to your phone. There’s a good chance that if you did click on a phishing link, your mobile device is already infected. Since the goal for such viruses is often to stay hidden, you may not realize your phone is actually infected. However, some telltale signs may be:
- Unsuspected memory usage
- Phone heating up excessively
- Pop-up messages while using your smartphone web browser
If you did happen to click on a link from a suspected smishing text message, your best option is to install an antivirus app and scan your device. Any virus hiding on your phone could be logging keystrokes and stealing private information, meaning the smishing scam could already have been successful. Still, it’s better to cut it off at the heels even if you’ve potentially lost valuable information up to this point.
On the other hand, installing an antivirus app can help prevent smishing attacks in the future. A good antivirus app should block any virus installation attempts in the future, as well as block potentially malicious websites.
5.Utilize a VPN on your mobile device.
One thing that often gets overlooked regarding smishing attacks is the collection of location data. According to internet security company Sophos, cybercriminals are increasingly using location data to better target individuals. Cybercriminals can use that data to send you smishing messages that appear extremely local. If the message seems more personal, it’s more likely to yield a response from victims.
A VPN app could help spoof your location, making it seem like you are somewhere else. If you receive a smishing message based on your spoofed location, it’s much easier to recognize it as a scam. However, more intelligent scammers may just use your phone’s area code to deliver somewhat relevant scams to your phone.
Nevertheless, a VPN can help prevent a cybercriminal from obtaining any data from your device. As your data moves through from your smartphone across the mobile network, it’s encrypted through the VPN tunnel. The scammer, therefore, may have a virus installed on your device but may be unable to receive any valuable data from it due to VPN encryption. This can help save you should you fall prey to a smishing scam that installs a virus on your device and afford you time to effectively get rid of it in time.
Most importantly, avoiding smishing scams involves being proactive. If a message feels wrong, don’t take any chances. Any reputable company will never conduct important business over text message. And it will almost certainly never ask you to enter private account information through a text message or a suspicious link. If the message is real and important, companies will likely call or send an email.