SMS, with its extremely high open rate of 98% and its average click-through rate (CTR) of 19%, is streets ahead in terms of effectiveness compared to other communication and marketing channels like email. This is why it's widely used by businesses today as they battle to get noticed by customers.
The popularity of SMS is one reason cybercriminals target this channel – it gives them a higher chance of success in committing malicious activities through SMS phishing scams, also known as smishing.
Read on to discover what SMS phishing is and several examples of smishing attacks that'll help you spot red flags and hopefully avoid falling prey to such scams.
What is SMS phishing?
The term phishing is literally derived from fishing. Not fishing in the traditional sense, where you take a rod and reel down to the river to get yourself a great catch, but rather fishing for information by baiting (or tricking) a victim. With smishing, an attacker targets your phone number and sends malicious text messages to bait you.
Smishing is a social engineering tactic; hackers use deception and psychological manipulation to con people into revealing private or sensitive data or taking some questionable action, like wiring money to an unknown account.
Social engineering attacks work by gaining the victim's trust, so they unwittingly do what the hacker desires, without the hacker resorting to more complicated techniques or brute force attempts. Sadly, no security system can protect us from human interactions designed to exploit. That's why social engineering attacks are often successful.
What is an example of SMS phishing?
There are many different types of smishing attacks, and we give you several examples below, covering the attacker's purpose and motivation for each.
1. Gaining access to a private or exclusive service or app
Most people have numerous apps or services they've signed up to, where they store their payment details, like Amazon, Google, Apple, supermarket shopping apps or e-commerce stores. One SMS phishing scam is where hackers try to gain your login credentials to get into an online platform and access your credit card information.
Some attacks are bold and tap into fear – they aim to scare users into thinking they are the victim of a hacking attempt and urgently instruct them to reset their password. The user clicks on a fake link to reset their details, but actually, it's a dodgy login screen, and the user unknowingly delivers their new password right into the hands of the scammer.
Other smishing messages are more subtle and rely heavily on spoofing, where the text looks very ordinary and like it's come from a legitimate organization. For example, a scammer might target a particular Amazon order (which they could learn about if they manage to breach your email account). The text might then persuade you to log in to your account to check your order delivery status – but you click on a malicious link, and the attacker obtains your password that way.
2. Stealing personal or financial information
Online services, especially banks, have a tough job when trying to protect their customers from a smishing attack. That's why they'll put two-factor authentication (2FA) or multi-factor authentication (MFA) in place, which requires users to verify their credentials through a unique PIN code or a few characters from their memorable word.
Yet, even with these added security measures, smishing scams occur. Seen often in the case of SMS verification, the attacker tries to intercept the one-time password (OTP) or PIN so they can obtain access to the account. If that's a bank account, they could easily approve a large financial transaction without you even being alerted. How could they intercept the OTP? Simply by sending you an impersonated text like this:
Hi Ellie, we noticed a suspicious login attempt to your bank account. If this wasn't you, please reply with the 6-digit code we'll now send you. ABC Bank.
Hackers usually have access to some of your personal information already, so a text like this can seem very convincing and genuine. Another type of smishing attack that aims to steal personal or financial information is a promotional message that looks like it's coming from a trusted brand and includes a link to a sales page where you can make a purchase. Only it's really a fake website purely designed to capture those sensitive details.
3. Stealing sensitive corporate data
As well as attacking individuals, cybercriminals also target businesses to gain unauthorised access to confidential information, like business-critical research or customer data.
Ironically, this happened to an SMS provider as recently as 2022, where the company's employees were targeted in a sophisticated smishing scam. They received a fake notification text from an attacker pretending to be from the organisation's IT department – the message warned the employees their passwords had expired and needed to be changed. Some clicked on the embedded links, which contained the company name (so it looked trustworthy), allowing the hacker to steal employee credentials and gain unauthorised access to 125 customer accounts. This is a classic example of a combination of SMS spoofing and phishing.
4. Downloading and installing malware
Many smishing attacks rely on malicious links that appear legitimate. When an unsuspecting user clicks on them, they can be tricked into downloading malware, like viruses, worms, ransomware, spyware or some other shady application.
Malware can be programmed to do anything the attacker wants. It can take over your device, steal your information for identity theft, send text messages to premium-rate phone numbers, install adware that forces you to view malicious pop-up ads and even start recording every tap and scroll you make.
Safety precautions to avoid smishing attacks
Smishing attacks are rife and are therefore very concerning for any business utilising text messages to communicate with customers and employees, and also for recipients themselves. But there are several preventive measures that can help avoid them.
Keep personal and work phones separate – by issuing employees with a work phone, you can protect their personal data and reduce the risk of company data being leaked to external (unauthorised) parties.
Check SMS links in text message content – if you're being asked to log into a service you already use or are subscribed to, double and triple-check the URL. Is it the exact same link that you normally use? Or does something about it look odd? Smishing links often contain a slight spelling error that only a practised eye can spot. If the SMS hyperlink looks official and correct, ask yourself why you're being prompted to log in. Is that a normal occurrence?
Educate your customers – any online services provider (especially financial institutions) should send customers periodic reminders about the importance of data security and stress they shouldn't divulge private information or OTPs to anyone. Explain that your business never asks customers to reveal personal information by text message. You can also ask customers to report any suspicious text messages they receive. It's essential to keep them informed of the risks and remind them to stay vigilant.
Train your employees – consider hosting a seminar internally about the rise of smishing and how businesses can be impacted through data breaches. Circulate your company's data security policy and send reminder emails regularly.
Ensure mobile device assets are adequately protected – encourage employees and customers to use the built-in security features provided by Android and iOS, such as biometric login, setting app permissions and enabling safe browsing. Check out this article for more Android security tips. Also consider a robust mobile phone antivirus.
- Adopt MFA – use two or more security layers in your user verification process for maximum protection. MFA isn't impossible to breach, but it's certainly a thorn in the side for hackers.
Protect your business and customers from smishing attacks
SMS phishing attempts are unfortunately quite common, given the widespread use of text messages. And because this type of cybercrime is fuelled by psychological manipulation, it can be easy to fall prey to it.
However, by being vigilant and learning about different types of smishing text messages, you can identify the warning signs that a hacker is trying to scam or steal from you. As a business, educating your customers and employees about the risks of smishing attempts and the preventive measures to take is vital. Those include making the most of mobile device security and using built-in features designed to protect.
For more information about using SMS messaging for business communications, browse the Messente blog.