Most people know the dangers of clicking links in email messages, but fewer understand that similar threats exist within text messaging. Smishing involves text messages from threat actors impersonating organizations and requesting credentials or personal information.
Often, the impersonated organization is a delivery service, PayPal, or a bank. These smishing scams often require the recipient to respond immediately or click on a link, which could install malware.
Messages with an Urgency
Many people are already aware of the dangers of clicking suspicious links in emails, but cybercriminals have found a way to use the same tactics on smartphones. They can mask the source of their attacks and make it difficult to tell if an SMS message contains a dangerous link. In addition, the security features that come with most smartphones don’t always prevent them from falling victim to these threats.
These messages often imitate notifications from reputable organizations like banks or government institutions. They will then request that victims provide sensitive information, click a link, or call a number. Attackers can then use these messages to access personal data and commit financial fraud.
Another popular type of smishing attack involves messages that imitate notifications from shipping services. Attackers can create letters that appear to be from UPS, FedEx, or Amazon that prompt victims to follow a link to confirm their packages or verify a delivery address. This can lead to a fake website that phishes for passwords, credit card numbers, or other information.
Fortunately, most of these scams are easy to avoid. It is important to remember that most reputable companies will never ask you for your private information or for you to respond directly through text message. If you receive a suspicious text message, do not reply or click the link, and contact the organization directly through more secure means on their official website.
Messages with a Reward
A popular scam during tax season, cybercriminals use smishing to lure victims into providing passwords or account numbers or clicking links that install malware on the victim’s phone. This can allow them to access personal information, including email and other social media accounts, and use it for fraud or identity theft.
Smishing attackers can target individuals with several types of messages. They may pretend to be a bank, a government agency, or a local political campaign. They may also pose as a delivery service or an online retailer, such as Amazon, to trick people into clicking a link. It’s harder to spot dangerous links on a phone than on a computer, and people are used to businesses and brands sending them messages over SMS.
The most common smishing scams involve financial services, with attackers posing as banks or other financial institutions to get their victims to reveal passwords and account numbers or click links that install malware. Other smishing attacks rely on social engineering by targeting emotions like fear, greed, love, or sympathy to trick victims into taking action. These scams often take advantage of current events, such as a fake emergency about a loved one overseas in a warzone, to generate urgency and make their victims act.
Messages with a Warning
Although phishing attacks typically come via email, scammers also use text messages. These messages impersonate a trusted source, such as a delivery company or business account, to trick the victim into divulging personal information or clicking on malicious links that steal confidential data. The cybercriminals then sell this information on the black market or use it to commit identity theft, empty bank accounts, or redirect payments.
A standard smishing message purports to be from a delivery company such as FedEx or UPS and asks the victim to click a link to track their package. This can take the user to a bogus website where the hacker solicits sensitive data, including account numbers, passwords, and credit card numbers. Providing this information is like giving hackers the keys to your bank account.
Another joint smishing attack uses a brand name to target employees and customers. This attack can appear as an SMS message from the brand or a third-party application that a user has installed on their phone, such as a digital payment app. These apps can contain malware and other threats that can be downloaded onto the victim’s device.
Older individuals are particularly susceptible to this because they are more inclined to respond to text message notifications and may be duped by a well-known brand name. Ensure users know to only click on links in messaging apps that are known and trusted. Also, please encourage them to verify the authenticity of a message using a contact method other than the one in the text.
Messages with a Link
Cybercriminals use a variety of tactics to impersonate a service or authority. They might copy a delivery service such as FedEx, UPS, or the US Postal Service and tell the target there was a problem with package delivery; they may pretend to be an online service provider such as PayPal and ask to verify account information over the phone.
These scams often include a malicious link the victim is encouraged to click. When they do, malware can be downloaded to their device, and they are directed to a fraudulent login or billing screen where their data is collected. From there, the attackers can steal login credentials, financial information, and other sensitive data that could be used for identity theft.
As the popularity of these scams continues to rise, people need to remember that a text message is unlikely to contain the same security features that a reputable company would use in email or on their website. For this reason, it’s always a good idea to use a VPN on your mobile device when accessing the internet and consider using multifactor authentication for online accounts with passwords.
Changing passwords regularly is also a good idea, especially on devices where you keep personal information. This will help ensure that any smishing attack that succeeds in installing a virus on your device can’t use it to gain valuable information.