Smishing. What is it?
Smishing is a type of electronic fraud akin to email phishing in which criminals send SMS messages to potential victims posing as representatives of genuine companies in an attempt to obtain personal information or transmit malware.
The fraudster will draw people’s attention with a variety of strategies designed to engage them without triggering their suspicions, much like a fisherman using realistic bait to attract a fish to their hook.
The difference between phishing and smishing
Smishing is basically the SMS variant of phishing, with the ‘bait’ message sent over SMS rather than email.
As a result, any malware included in the attack will most likely be tailored to infect a mobile device and propagate through the phone’s contacts, rather than a PC.
Smishing messages will also be distributed via the mobile network rather than the internet, necessitating the implementation of a distinct set of security solutions to counteract attacks (more on this later).
How does smishing work?
Effective smishing attacks rely on the receiver doing something they would not have done otherwise. This might be as simple as following a link in an SMS message or providing personal information via return SMS or a bogus landing page.
Scammers can persuade consumers to do this activity in a variety of methods, including impersonating reputable businesses or employing multi-stage social engineering strategies that utilise collected data or information offered in the initial approach to make the final attack more credible. This could range from a person’s name and address to an account number.
Smishing attacks are broadly classified into three sorts, ranging from borderline-legal guerilla marketing strategies to sophisticated multi-stage criminal operations with severe financial consequences.
- Copycat marketing
In the grey area of the law, a company may approach a person posing as or just implying that they are a well-known brand that the individual already recognises and trusts. In this situation, the victim is duped into examining a product or offer that they would not have considered otherwise.
Is this illegal? Although it is unlawful to directly imitate a protected brand, unscrupulous enterprises skirt the law by utilising similar branding and content to established businesses.
- Malware attacks
This form of attack is malicious, although its sophistication is restricted. Once again, receivers are duped into thinking the message is real, but this time the link they are encouraged to click on will download malware onto the device, infecting it and potentially spreading itself automatically across the phone’s contact list.
The Flubot, which targeted Android devices and was aimed to steal online banking details and other private data, was a recent example of this. It needed an international initiative combining eleven countries’ police forces to put an end to it.
All current smart phones, whether Android or iOS, will have security safeguards that prevent malware from silently installing, but these features are significantly less effective when users deliberately download anything or transfer sensitive data to a third party through deception.
- Fake landing pages
The most audacious, clever, and expensive type of smishing occurs when fraudsters imitate messages sent by legitimate organisations to their clients, urging them to visit a bogus landing page where they are urged to provide personal information and login credentials. These information is then stolen and utilised by crooks to get access to the genuine accounts.
These landing sites use one-time or very short-lived URLs, making it nearly impossible to track them down.
Again, the most successful smishing attacks will employ coordinated social engineering strategies that rely on existing facts to make them appear more credible. Harvested data is frequently saved and used in a subsequent attack. After a sufficient amount of time has passed, the victim will not put two and two together and realise they are being duped.
How do fraudsters get my mobile number?
Victims of smishing attacks are entitled to wonder how their phone number ended up in the hands of criminals. Unfortunately, there are numerous ways for this to occur, as we supply our mobile number to various organisations on a daily basis.
- Data breaches: When hackers get access to a company’s client database, they can take anything from login and password information to addresses and, of course, mobile phone numbers. These individuals may not utilise the information themselves, but rather sell it to other criminals who specialise in specific sorts of fraud. Customers of a specific bank or airline that suffered a data breach may find themselves receiving fake texts months or even years later if their phone number has found its way to a smishing professional.
- Bought lists: When a mobile number falls into the wrong hands, it can be added to lists that criminals subsequently buy and sell on the dark web.
- Website scraping: You may be unaware that your phone number is displayed in several legitimate locations on the internet. Anything from former social media profiles to websites of organisations or clubs you used to belong to, as well as third-party business directories. Fraudsters will employ software that constantly monitors the internet for numbers that look like phone numbers and add these to lists to sell.
- Form data saved in your browser: Depending on your browser settings, the information you input when filling out a web form can be preserved in memory so that the browser ‘remembers’ your details the next time you fill out a similar form. If the browser does not lock down this data, malware can find it and extract it, which it then sends to third parties.
- Random number generators: There isn’t much you can do about it. In most countries, mobile phone numbers have a uniform length and format, making it easy for software to generate large lists of probable phone numbers that can then be confirmed by automatic dialers. Do you ever get calls that only ring once? That could be dialers looking to see if your phone number exists.
What are some examples of Smishing?
What does a smishing text seem like now that you know what it is? Messages come in a variety of flavors, but one thing they all have in common is a powerful call to action for the recipient. They are usually offering you something appealing or warning you to something undesirable that could cost you money or cause disgrace if you do not act quickly. The sense of urgency drives victims to act immediately and without hesitation.
Here are six well-known examples, though this is far from an entire list. Scammers are particularly excellent at adapting and leveraging current events, such as the war in Ukraine or a cryptocurrency crisis, to add legitimacy to their schemes.
You’ve won a competition (that you never entered)
Starting at the lower (and less credible) end of the spectrum, we’ve all received communications promising a surprise boost to our bank accounts. Lottery winnings, inheritances from unknown relatives, and even Nigerian monarchy are all possibilities. The bait of a large payday appears to be enough to induce some people let down their guard and click on a link or disclose personal information.
Delivery notifications
This strategy has gained popularity in the last two years as more consumers shop online, and businesses have hastened to include new SMS notification use cases. Fraudsters pounced on this opportunity, creating highly genuine texts from stores and delivery organisations indicating “an issue with your delivery.” They may request that the recipient pay additional delivery fees or enter their login credentials in order to obtain further information about the problem.
Bank fraud message
Ironically, one of the most effective smishing strategies is for fraudsters to imitate a communication from a bank alerting the customer to suspicious activity on their account. These letters are simple to reproduce since they follow a standard pattern, and because there are only a few retail banks, recipients are likely to recognise their own bank as the sender.
The message will almost certainly persuade the recipient to reset their password in order to prevent additional fraudulent activities. When the user clicks on a link in the message, they are taken to a bogus login page where they are requested for their login credentials in order to update their password.
With these details, the crooks have a window of opportunity to login to the account and transfer money before the victim discovers. Many banks are catching on to this strategy and implementing 2FA checks whenever an account is accessed from a new device or when the requested amount exceeds a specific threshold.
The mutual friend/colleague
This method employs some very simple social engineering techniques to significantly increase the effectiveness of the smishing attack. If a message includes the name and contact information of someone we know and trust, we are significantly more inclined to believe it is genuine.
Scammers only need to scrape victims’ social media profiles to determine who their close friends or business acquaintances are, and then use this information. Perhaps by providing them with a job, a fantastic business opportunity, or an invitation to an event that would be ideal for them.
Social media alert
When confronted with the potential that an unpleasant image of them exists on the internet, people appear to lose their sense of perspective. SMS messages claiming to be from a social-media Samaritan advising the user of something they don’t want have been a very successful tactic:
“You won’t believe the Facebook photo Muhammad tagged you in! Take a look at this…”
This heartless strategy preys on people’s good intentions. Scammers will use a significant occurrence in the news, such as a natural disaster, war, or refugee crisis, to get people to donate money or offer personal information that can later be used fraudulently.
How telecom providers can prevent smishing
As smishing attacks get increasingly sophisticated and difficult for mobile users to detect, it becomes the obligation of telecom operators to block them before they reach their clients. It is in their best interests to be proactive. Successful assaults will destroy trust in A2P messaging, driving customers and the brands they buy from to abandon SMS, reducing revenue potential.
Fortunately, mobile operators have an ally in this battle. By collaborating with the proper vendor, they can have access to SMS firewall technology as well as experience to assist safeguard their mobile eco-systems.Our partner, Infobip, already collaborates with over 120 telcos around the world to protect over 1.1 billion mobile customers using a robust set of technologies that includes:
- Links to a constantly updated database of dangerous URLs that can be blocked automatically in real time.
- Proactive threat detection that employs machine learning to anticipate assaults.
- Responses to recognised dangers are automated.
- Based on SIM box detection, MSISDNs (numbers) that are not “real customers” can be identified and their reputations analysed.
Infobip’s SMS firewalls are backed by a global team of intelligence and security professionals, which is just as crucial as the functionality they offer. In such a rapidly changing environment, it is these individuals’ responsibility to recognise new forms of threats and guarantee that we can help to protect against them.
