What Is Smishing? How to Identify and Avoid Smishing Attacks
Email-based phishing attacks have been around since the 1990s, but not all phishing scams land in your inbox. Smishing attacks target people via SMS text messages to gather personal information, like payment methods or Social Security numbers.
In this guide to smishing, we’ll discuss what smishing is, along with:
- The difference between smishing, phishing, and vishing
- Smishing examples
- Types of smishing attacks
- How to stop smishing attacks
What is Smishing?
Smishing is a type of cyberattack that manipulates users into divulging private information by sending misleading text messages. Like other phishing attacks, the goal of smishing is to trick someone into clicking a link that downloads malware onto their mobile device or sends the scammer personal information.
Because email phishing is a well-known cyberattack, users have been trained to avoid opening emails or clicking suspicious links from an unknown sender. However, not many people know that phishing attacks can also be conducted via text message, so they are much more likely to fall for the smishing attack.
In addition, SMS open rates are as high as 98 percent, and users respond to 45 percent of text messages, so people are much more likely to engage with a suspicious text than an email phishing attack.
What’s the Difference Between Smishing, Phishing, and Vishing?
The term “phishing” originates from the analogy of using an email as bait to lure users into sharing private information, like their usernames and passwords.
Once email phishing became common knowledge, scammers came up with other phishing attacks. “Smishing” is a portmanteau of “phishing” and “SMS” or text messages. Sometimes scammers use non-SMS text services, like WhatsApp or WeChat, to launch these attacks.
“Vishing” is another type of phishing attack that uses voice calls to scam people rather than emails or texts. The term comes from the combination of “voice” and “phishing.”
How Smishing Works
Like phishing, smishing scammers use social engineering techniques to pose as trusted sources, like your bank or even your workplace, and ask for personal information like your bank account information, login credentials, or other sensitive information.
These messages often include a link to a website disguised as a trusted site so the target can enter their username and password or some other personal information.
A smishing attack might even ask targets to share sensitive information directly. Social engineering tactics often create a sense of urgency and fear in a target, so they’re thinking less clearly about sharing sensitive data via text message.
By pretending to be a law enforcement agency or another government body, scammers can trick victims into clicking a link that collects their smartphone’s data or downloads malware onto their device.
A scammer might collect basic information about a target that can be easily found online, like their name and address, to trick the target into believing that the message comes from a trusted source, like a retailer or a well-known brand. This way, the target is more likely to share private information directly with the scammer without ever realizing what is happening.
Another typical example is when an attacker poses as the IRS, tells the target they are being sued for failing to file their taxes correctly, and threatens them with arrest unless they act now. Because many users trust SMS messages and it’s more “immediate” than email, they are likely to share their personal information without considering if the message comes from a trusted source.
Types of Smishing
Although smishing originated as a type of phishing attack conducted via SMS, several types of smishing attacks are being attempted today. Here are some of the most common attacks to keep an eye out for.
A scammer will pose as your mobile phone service provider in a cellphone smishing attack and offer a discount or a special phone upgrade. The message typically includes a link to activate the offer, which leads to a spoofed website designed to look just like your provider’s website.
The site will then ask you to confirm personal information like your address, credit card number, and possibly even your Social Security number.
A smishing scammer can try many things to trick their target into sharing their personal information with just a text message. Usually, this involves clicking a link to a supposedly trustworthy website where you can enter your login credentials or confirm other personal information.
For example, by posing as a representative from your financial institution, a scammer could ask you to confirm some recent charges and trick you into clicking a link that connects to a copy of your bank’s webpage. Hackers might also pose as a well-known brand, such as a package delivery service like UPS or FedEx, and ask you to confirm your delivery address by clicking a link and filling out your information.
Although phishing via instant messaging platforms like Facebook Messenger and WhatsApp technically isn’t smishing, it works similarly. IM smishing scams take advantage of consumers who are now more comfortable receiving messages from strangers on social media.
Sometimes these messages don’t even come from strangers, but people you already know. That usually means that person’s account has been hacked or spoofed, so they might not even know someone is using their name to send scam messages.
How to Stop Smishing Attacks
One of the most effective ways to stop smishing attacks is to conduct security awareness training, educating users on warning signs. Additionally, reporting these attacks helps wireless providers alert users who receive messages from a particular number or can even block messages from that number entirely.
Here are some dos and don’ts for how to stop smishing scams:
- DO contact the organization that supposedly sent the message using a verified phone number or website.
- DO report smishing messages to your cell phone provider or 7726 (SPAM), the spam reporting service run by the mobile telecommunications industry.
- DO consider using tools that block messages from unknown or suspicious senders. Many major wireless carriers offer call-blocking services to their customers.
- DON’T click a link in a text message from an unknown sender. If the message claims to be from a trusted source, look up the website and find a secure link with https:// in the URL instead.
- DON’T share any personal information (especially financial information) in response to a random text or a link shared in a message from an unknown sender.
- DON’T reply to any unsolicited text messages, even if it says you can text “STOP” to unsubscribe. By engaging with smishing texts, you confirm that your number is active and can be sold to other scammers.
Along with learning how to stop smishing scams, investing in email security software like Armorblox adds another layer of security to your digital communications. Armorblox understands the content and context of communications to protect your company’s human layer against targeted attacks and data loss.
To learn more about how Armorblox protects businesses from phishing attacks, take a 5-minute product tour below.