What is Smishing and How to Defend Against It
Table of Contents
- By David Lukic
- Feb 23, 2022
People depend on text messages for much more than sending emojis during boring meetings. People send 13 trillion texts worldwide every day, averaging 13 for each person. But there are hazards to so much texting, particularly the potential for smishing.
What is the smishing definition? Smishing is sending fraudulent text messages that appear to be from a trusted source, such as a bank or school, asking for personal information or a PIN number to steal information or funds. Smishing’s email-based twin is phishing.
Phishing has been a successful method of scamming people through email, so it’s natural to try it through mobile phones. However, because cell phone use can be unconscious and automatic, younger people are more likely to be victims of smishing attacks. In addition, companies are using SMS and text messages to reach customers at a high rate, so this volume contributes to the difficulty of discerning real from fake messages.
Email phishing attacks require email addresses, but smishing can be done by computers sending a high volume of messages to randomly generated combinations of 10-digit numbers that are likely to be phone numbers. This process is worthwhile for scammers as studies show that unknown emails are only opened about 10 percent of the time, but people open 98 percent of unknown text messages. That means that even getting one or two percent of those people to act on a smishing message could be very lucrative to attackers if they’re able to steal money or personal information as a result. Smishing is so lucrative for scammers that the volume of these messages is growing exponentially.
How does Smishing Work
When your phone is always in your hand, you’re more likely to trust the information that comes through it. Unfortunately, we don’t always take time to think about which app is sending an alert or whether we recognize the phone number that the newest message is from. That’s what smishing scammers count on: their victims are those who make quick, emotion-based decisions to act on a message before verifying its source.
The characteristics of a smishing attack are:
- The sender pretends to be someone of authority or representing an important institution like your bank, credit card company, school, or representative of your employer.
- The message requires you to act quickly – the scammer hopes you’ll respond without thinking.
- There’s an emotional aspect to the fake text, whether it’s fear, greed, or anger.
- If you look closely, there’s usually something a little “off” about the message, whether it’s a misspelling, an error in your name, or no personal greeting at all (a sign of a broadcast message sent to many people at once).
- There’s usually some interaction required, whether clicking on a link or typing in a PIN.
Common tactics of smishing attacks are:
- Claiming that your bank account or credit card has been hacked and you need to “verify your PIN” immediately.
- Pretending to be your boss who’s away from the office and immediately needs an important account number or password to access sensitive data.
- Masquerading as a trusted delivery company or online store, a message requiring you to click on a link to accept a package delivery. Unfortunately, this link will download malware on your mobile phone that may be used to hack into your other accounts.
- Some are as simple as responding to a message that appears to be from a neighbor – “Is this black cat yours?” You’ve confirmed your phone number by responding, making you a target for future attacks.
- Some sophisticated attacks may direct you to your bank website then launch an overlay screen that captures your PIN number when you enter it.
How to Protect Yourself from a Smishing Attack
Limiting the number of businesses that use your mobile number to send you text messages is one way to prevent some smishing attacks. If you have fewer messages in a day, you’re less likely to blindly respond to one that is an attack. It’s good practice to keep your cell phone number as private as possible because it’s one of many pieces of personally identifying data that may be sold on the dark web for account hacking and identity theft purposes.
Stop and scrutinize any unexpected messages. Things to look for:
- Scammers may use shortened URLs or extended URLs that are either difficult to decipher or that don’t show up completely in the address bar of your browser. This tactic makes it nearly impossible to determine who you’re responding to.
- Do not respond quickly to messages that feel urgent.
- Take a moment to investigate where it came from. If it still appears legitimate, close the message, and call the individual or business using their contact number or information found on an official website.
- Use a service or reverse phone number lookup tool that verifies phone numbers and train yourself to use it anytime an unrecognized message appears.
Installing a VPN (a virtual private network) on your phone is another way to protect yourself. VPNs encrypt information and spoof your location, making it harder for scammers to capture and use accurate information from your device.
Updating your virus protection software and keeping your operating system updated are always essential. These steps should minimize data loss and perhaps block malware that may be launched on your phone through a smishing text.
Blocking unknown phone numbers or only accepting messages and calls from known contacts is a good practice if it’s possible. Some people who use their phones for business and personal purposes are not able to block unknown numbers because they depend on incoming calls and messages for work. Also, blocking phone numbers or smishing messages might not be effective. Because sophisticated scammers know how to spoof phone numbers, they can change the incoming number whenever necessary. Experts suggest deleting messages rather than responding in any way.