5 facts you didn’t know about SMS phishing
Say the word phishing in front of any IT professional and prepare to see their expression contort into a wince of discomfort. Phishing has become the bane of every IT leader’s existence, compromising networks with frightening ransomware attacks and causing devastating breaches worldwide. However, there’s a new form of phishing threat that not everyone — even those in IT circles — might be familiar with: SMS phishing.
Here are five things you might not know about this kind of exploit, how it works and why you should be wary when a dodgy-looking text message shows up on a mobile device:
1. SMS phishing exploits a unique vulnerability
Like its email cousin, SMS-based phishing — also known as smishing — tries to trick the mobile device-using public and businesses alike into providing sensitive personal and financial information cybercriminals use to gain control of accounts, engage in identity theft and help themselves to the victim’s funds or lines of credit. This tactic is growing in popularity because though there are plenty of tools out there to protect individuals and companies against phishing attacks that arrive through email, there are not yet similar mechanisms available to prevent exploits arriving through SMS messages.
SMS attacks take advantage of the feelings of trust and intimacy people have toward their smartphones. Victims know they must be on guard when receiving suspicious email messages, but they might not be aware that the same kind of threat can arrive through text message. The BBC reports social engineering exploits netted cybercriminals $1 billion last year, so they likely want to capitalize on the lucrative opportunity that SMS scams offer them.
2. Smishers often pose as banks
The most common scenario for a smishing attack involves a text message that claims to be from a bank and says it’s urgent for the victim to provide information to secure their mobile banking accounts or regain access to them. Like early, less sophisticated email phishing campaigns relying on social engineering, the message is usually rather crude and fear-based, and it might have misspelled words or awkward language. A typical smishing message would, for example, alert you to a serious problem that had supposedly happened with one of your financial accounts and direct you to click on a link to remedy the situation.
Many people who have seen this sort of trick before in email will think twice before clicking the link. Experienced users will know not to respond at all. Some will take the smart step of independently finding the phone number for their bank or financial institution’s official customer service line and calling them to confirm the message’s legitimacy. But make no mistake, as SMS exploits become more common, you can expect them to become more clever. As Wandera research notes, 81 percent of mobile phishing attempts now take place outside of email. Hence, it’s important to keep a lookout for emerging threats on these channels, too.
3. SMS phishing messages adapt to the mobile setting
Since smishing attacks come through SMS messages, they have to be short. These mobile exploits will usually show up as brief communications providing limited information — just enough to induce the victim to click on a link to enter credentials on a website or download a malicious app. SMS attacks also benefit from the mobile setting, since it’s much harder to discern whether a message or website is fake on a mobile device as opposed to a desktop or a laptop.
It is much more difficult to check a link to confirm its destination or determine whether it features a suspicious IP address using a smartphone or tablet rather than a desktop computer. IT leaders can address this gap by updating their security awareness training sessions to include mobile attacks, placing special attention on what steps employees should take to spot a malicious message on their mobile devices.
4. SMS exploits link to sophisticated phishing websites
Once they’ve convinced a victim to click on a link, cybercriminals will go the extra mile to trick them into thinking they’ve arrived at a legitimate website. The branding and design will be exactly the same as what victims expect to see, lulling them into a false sense of security. It will, however, often ask them to provide as many credentials as possible — a telltale sign of a phishing attack, which will attempt to harvest as much information from its victims as it can.
Even if a victim doesn’t provide all the requested data, any information brings the cybercriminals one step closer to taking over the user’s email or financial accounts. Sometimes a smishing website will even present a fake multifactor authentication process like a bank would, which makes the process seem legitimate and secure even though nothing could be further from the truth.
5. Smishers often mask their identities
When you receive a text message your phone usually displays the sender’s phone number. But cybercriminals thrive best when anonymous, so they will usually mask their identities when staging SMS-based attacks. Mobile users should be suspicious if they see a strange message originating from the number “5000.” Scammers often use web-to-SMS services to hide their real phone numbers, displaying 5000 or a number from another geographic location to hide their tracks. If you see a strange message originating from an unknown source or an unfamiliar number, that should be a red flag.
SMS attacks might be flying under the radar for now, but they’re just as dangerous as email phishing campaigns, and you should treat them as such. Any IT professionals that want to protect their companies from emerging exploits will want to be familiar with smishing, train colleagues to be on the lookout for shady text messages and leverage mobile security tools to guard against this growing threat.