31ST AUG 2024
Emma received an urgent text claiming to be from her bank, warning of unusual account activity. Without thinking, she clicked the link and entered her details. Moments later, her account was emptied. It wasn’t the bank — it was a smishing scam. She realized too late that caution could have saved her savings. From that day forward, she tells people to beware of smishing, given how easy it is to fall victim to.
Smishing is a type of social engineering attack where cybercriminals use fake mobile text messages (SMS) to deceive individuals into downloading malware, sharing sensitive information, or transferring money. The term "smishing" is a combination of "SMS" (short message service) and "phishing," a broad category of cyberattacks that manipulate victims into revealing confidential information.
On the other hand, vishing refers to similar attacks carried out over voice communication, such as phone calls or voicemails.
Smishing is on the rise, with 75% of organizations reporting smishing attacks in 2023, according to Proofpoint’s 2024 State of the Phish report.
Several factors contribute to this increase, including the fact that people are more likely to click on links in text messages than in emails. Additionally, advancements in spam filters have made email-based phishing less effective, leading cybercriminals to shift their focus to smishing.
The widespread use of mobile devices, particularly in remote work environments, has further fueled this trend, making it easier for attackers to target individuals and gain access to company networks.
There’s even a new Apple smishing tactic that targets your Apple ID login. Apple users have been receiving texts that seem to be from service representatives, containing a website link. Clicking on the link leads to a fake iCloud login page, complete with a CAPTCHA to make it look more legitimate.
Smishing attacks function similarly to other phishing tactics, where scammers send deceptive messages containing malicious links. However, in smishing, the medium is SMS or messaging apps rather than email or phone calls. Cybercriminals prefer smishing for several reasons, including the higher likelihood of link clicks in text messages.
Research by Klaviyo reveals SMS click-through rates range between 8.9% and 14.5%, compared to a mere 2% for emails, according to Constant Contact.
Scammers often disguise the origins of smishing messages by spoofing phone numbers or using software that sends texts via email, making it difficult to trace the source.
Moreover, mobile users cannot easily hover over a link to verify its legitimacy, as they can on a computer, making it harder to spot dangerous links.
It’s easy to get confused given how similar terms like smishing vs phishing vs vishing sound. How about we simplify it for you?
How to tell apart smishing, phishing and vishing attacks? The key difference lies in the medium used to carry out the attacks.
Phishing encompasses all cyberattacks that use social engineering to trick victims into compromising their information.
Smishing and vishing are specific types of phishing — where smishing involves text messages, while vishing relies on voice communication.
They all have the same objective - to steal your identity, information, even money.
Smishing attacks come in various forms, including:
Account Verification Scams: Victims receive messages asking them to verify account details, often leading to stolen credentials.
Prize or Lottery Scams: Attackers claim the victim has won a prize, requesting personal details or payment to claim it.
Tech Support Scams: Users are warned of device issues and prompted to contact fake tech support, potentially leading to data theft.
Bank Fraud Alerts: Messages appear to come from the victim’s bank, prompting them to verify transactions via a phishing link.
Tax Scams: Around tax season, scammers claim victims owe taxes or can receive a refund, seeking personal and financial details.
Service Cancellation: Attackers warn of service cancellation due to payment issues, urging the victim to click on a phishing link.
Malicious App Downloads: Users are lured into downloading apps that are actually malware.
Smishing attacks are a global issue, with cybercriminals targeting users worldwide. Some notable examples include:
Early Access Apple iPhone 12 Scam: A campaign in 2020 where victims were tricked into providing credit card info for a free iPhone 12.
USPS and FedEx Scams: Fake delivery alerts claiming missed or incorrect package delivery, leading to phishing sites.
Mandatory Online COVID-19 Test Scam: Scammers posing as government officials requiring a mandatory COVID-19 test.
To combat smishing, the Federal Communications Commission (FCC) has implemented a rule requiring wireless providers to block spam texts from suspicious numbers. However, no spam filter is foolproof, and cybercriminals are constantly finding new ways to bypass these defenses.
Smishing messages pose a threat only when the recipient takes action, like clicking on a link or sharing private information. Here’s how to identify smishing and protect yourself:
Be wary of messages promising easy money through prizes or cash in exchange for entering personal information. Coupon code offers are also common ploys.
Legitimate financial institutions will never request credentials or money transfers via text. Never send credit card numbers, ATM PINs, or banking details through SMS.
Avoid responding to unfamiliar phone numbers.
A sender number with only a few digits often originates from an email address—a common sign of spam.
Storing banking information on your smartphone makes it a prime target for attackers. Avoid saving this data on your device, as it can be compromised if malware is installed.
Report suspicious messages to your telecom provider’s designated number for investigation. The FCC also accepts and investigates text message scam complaints to help protect others.
Note: You can report scammy-smishing texts to FTC.
One needs to beware of smishing and vishing, and education is the best way to equip yourself with the tools to do so. Training employees to recognize signs of smishing, such as unusual phone numbers or unexpected URLs, is crucial. Many organizations conduct smishing simulations to reinforce this training and identify vulnerabilities. After all, text messages have a higher open rate than emails, and that makes smishing more effective for cybercriminals than good old fashioned email phishing.
Start your journey to identifying and neutralizing cybersecurity threats today.
