Smishing is a type of phishing in which people are tricked into installing malware, providing sensitive information, or losing money by sending bogus text messages. Most people know to be wary of phishing attacks that arrive via email, but many don’t think about the dangers that lurk in text messages. Messages that claim to be urgent, like ordering a package, can lead users to click a link that shepherds them to a scam site.
Legitimate companies and government agencies never request account information or login credentials over text.
Social Engineering
Social engineering refers to the process by which cyber criminals manipulate their victims’ emotions and instincts into taking actions that are not in their best interest. This can be a convincing email from a trusted brand or a simple trick in which the criminal alters sensitive information or images and then forwards them to their victim. It may also involve a romance-based scam in which the threat actor poses as a loved one on dating or social media sites and asks for money. Criminals who use this tactic may scour social media to gather as much information on their target as possible, which they then use in a targeted spear phishing attack.
Almost every type of cybersecurity attack involves some element of social engineering. Cybercriminals use this tactic to obtain login credentials, credit card numbers, bank accounts, and even a person’s Social Security number to make purchases using their victim’s money or apply for loans in someone else’s name. They can also use this information to plant ransomware on a company network.
Some of the most common social engineering attacks include smishing (which merges SMS with phishing), vishing, and baiting. These tactics all have a similar objective – to get the victim to share information or download malware, often with urgent requests for access to their account. These messages and calls can appear on social media, email, or text, or they could even come from an in-person encounter like a meeting at the food court in a public office building.
Malware
The goal of smishing is to get you to click on the link, download malware onto your device, and ultimately give up your personal information, such as passwords, banking account numbers, and your Social Security number. Bad actors are often well-prepared, utilizing industry-specific jargon and official-sounding language to make the message seem more legitimate. Some smishing attacks even use spoofing to hide the attacker’s phone number and make it appear to come from an official or local source.
One of the joint smishing scams is a financial service scam. These messages seem to be from your bank, credit card company, or other financial institution, and they urge you to confirm personal information that they will use to conduct fraud. The attackers also use links that direct victims to fake websites, which can include cyberattacks designed to steal your information or install software on their devices.
Phishing
Scammers often use phishing in their text messages to get recipients to click a link or download malware. They’ll often spoof phone numbers, so the message looks legit. They’ll also try to create a sense of urgency by claiming their account was hacked or having a warrant out for their arrest.
Clicking a smishing link can install malware on your device that lets fraudsters see your address book, passwords, and sensitive photos and information. Or it can take you to a fake website that tricks you into entering your personal information, which will be sent directly to the attackers.
One common smishing tactic involves a “refund” scam. Fraudsters will claim they overpaid you for some service and ask for your banking or credit card information to get the money back. They’ll even use your mobile carrier to send the text message.
Another example is a fake text that claims your package was delayed, which could be an attempt to fool you into clicking a link. Hackers will know you’re concerned about when your Christmas or other gifts will arrive so that they may include a link to UPS. It’s best to log into the shipping company’s site directly to check on your shipment status. If you’re worried about a specific delivery, you can always call the customer service number on the shipping provider’s website.
Identity Theft
This new phishing scam is a form of identity theft that can trick victims into sharing personal or financial information in a text message or even installing harmful malware on their devices.
Hackers can also use your social media profiles to create fraudulent messages that seem to be coming from a friend or family member.
Scammers can also use your phone number and your email address to create fake messages that appear to come from a trusted source.
If you receive a suspicious message, report it to your mobile carrier and the IC3. This helps prevent others from falling prey to the same attack and protects against identity theft or having your bank accounts drained.