CyberTech Awareness Program

SMS Phishing

What is it, how do attackers use it, and how to avoid becoming a victim
June 5th, 2023
Author: Ryan Morrissey
Editor: Savannah Ciak

What is SMS Phishing?

SMS phishing (sometimes referred to as smishing) can be explained by breaking down the term into two separate words. SMS stands for “short message service”, a technical term for text messages. Phishing is the act of using social engineering techniques to gain access to your sensitive data, whether it’s private information about your life or even bank information. 

If you put these terms together, you get SMS phishing. This is when attackers try to access your data via text messages. SMS phishing can be executed with similar techniques to email phishing but just through text messages. Most often, these messages trick the user into engaging with the phish.

Source: https://www.safetydetectives.com/wp-content/uploads/2021/03/Smishing-text.png 

Why is SMS Phishing Important to Discuss? 

SMS phishing is a relatively new form of phishing, so people are less aware of it. It’s important to spread awareness of these attacks to prevent anyone from falling for them. Cybercriminals are coming up with new forms of attack through text messaging that have never been dealt with before. While text messaging may seem simple to some, it can be tough for others. It is important to educate vulnerable demographics about these attacks so they can be better prepared and protected.

Common Techniques Used by Attackers 

Many of the attacks will be impersonation, the most popular form of phishing. Attackers will usually use a trusted business or organization that many people are familiar with, such as a bank or internet provider, to impersonate. Unfortunately, thousands of targeted users send the attackers their banking numbers or other sensitive information.

Image Source: https://www.martininsurance.com/wp-content/uploads/2022/05/text-scam-1.jpg

Someone may see the text above and use Bank of America, thinking their account may be at risk of being closed. They click on the link and enter their bank information, which is then, stolen. 

Attackers will often mix impersonation with fear-inducing messages. If someone is unaware of the tactics, they might fall for the trick out of fear that the message is real. On top of fear, the message might sound urgent as well. “If you don’t click on this link, your account will be locked forever” is an example of that. 

Image Source: https://cdn.abcotvs.com/dip/images/11371439_122221-ktrk-scam-text-tn-img.jpg?w=1600 

A huge majority of people order things online. There are quite a few attacks relating to the image above in that attackers send out a fake text message. Once the link is clicked, the user is vulnerable to attacks.

You may be thinking, “I just won’t click on the links that look bad or are not normal”Attackers can easily workaround this through more complex techniques such as spoofing or faking links and websites. It’s not hard for attackers to fake an address through text messages. Similarly, they can copy a reliable website’s code to make their own website that looks exactly like a reliable website. Some cybercriminals will go to great lengths to make people fall for their schemes if it means they can successfully gain personal, sensitive, or financial information. In the image below, an attacker is spoofing the PayPal link. If the target clicks on the link, they may be redirected to a fake PayPal website, which may ask them to input their PayPal credentials. If the user inputs their credentials, the attacker would then have access to the user’s PayPal account. 

Image Source: https://www.hackread.com/wp-content/uploads/2016/02/crooks-sending-phishing-links-in-text-messages-to-steal-paypal-account-side-1024×365.jpg 

The last common technique attackers use is offering a reward. Attackers may send a text saying the victim won something, whether it be money or some other form of reward. This is dangerous because everybody wishes they could just come across a big sack of gold without having to do anything, but most times you will find any form of this text will just end with you entering your credit card number into a website, whether it’s an easily spottable scam site or a spoofed website like mentioned above. 

Image Source: https://pisces.bbystatic.com/image2/BestBuy_US/dam/GL-63607-fraud-text-210708-0581e759-0215-4de7-9f3e-6ca928f1cdb7.png 

Real Life Example of SMS Phishing 

Covid-19 SMS scam 

Do you remember how on edge everyone and everything was in the world during the peak of COVID? That common fear among the people of the world was exploited by cybercriminals during COVID-19 in multiple forms. Attackers would often send misleading texts that made people give up sensitive personal information. One very common text message was sent to almost everyone in the UK during COVID, claiming that “you were in close contact with someone who had COVID.” The text led to a website that had you buy a fake COVID-19 test that cost around a dollar. This was a small amount of money, so nobody would really think twice about just buying it, leading to their card information being stolen. 

Image Source: https://www.tripwire.com/sites/default/files/nhs-fake-text-1.jpeg 

Spotting and Avoiding SMS Phishing

SMS phishing is a sneaky way for attackers to get your information. Being aware helps combat SMS phishing. It’s important to be cautious when receiving text messages from unknown contacts and realize that if you are not careful, it could result in repercussions. 

One technique that you can use is to be skeptical at all times. Verify that the person you are sending messages to is, indeed, the person they say they are. You can never be too sure when it comes to texting. Being skeptical is important because keeping your guard up and double-checking will go a long way in protecting your data. 

Anything that you might suspect of being illegitimate will probably be a scam. Trust your gut and educate yourself, and you will find yourself well-protected.

One big thing every single person should realize and be aware of is that legitimate companies and services won’t ask for information directly over text. To some, this may seem simple, but it’s important that you never directly input your personal information via text. Where it can be more complicated is when attackers instead send links; legitimate companies usually send links over text, so this is where more people than others will fall for fake links. 

Image Source: https://cms.podium.com/wp-content/uploads/2023/02/scam-text-ceo-.png 

Again, links can be spoofed, so it’s never good to trust a link in a text message because it’s probably a scam. If you suspect you are on a spoofed or fake website, simply close the tab, and always make sure to never enter your password or any private information on a website you aren’t familiar with. It’s a good idea to verify what websites you are accessing, especially through text. 

You can try to prevent SMS phishing in a couple of ways. There are trusted security applications on app stores that can try to filter out some texts and may do other common security things, such as serve as a virus/malware scanner. While these are good, they will not protect you from everything. It’s up to you as the user to be aware of techniques used by attackers so you don’t fall for them. Applying system and application updates will also help prevent attacks from taking place if you do slip and fall for a phish. 

Some common apps (both Android and iOS) that help filter out SMS phishing that you can research are:

  1. SMS Shield
  2. RoboKiller
  3. Hiya
  4. VeroSMS
  5. Both IOS and android offer their own filters through settings 

I Got an SMS Phishing Text, What Do I Do? 

SMS phishing is becoming more popular, and as using email becomes less frequent if you have a smartphone, you will probably witness or encounter an SMS phishing scam. If you get an SMS text, don’t engage in any way with the actual text. If you can, the best thing to do is avoid clicking on any links in the text and also not responding to the text. Ignoring/deleting the text and moving on is all you can do to protect yourself. 

After you protect yourself from SMS phishing, you can also help protect others! There are a few ways to report scam texts, but the most common is to report them to the Federal Trade Commission (FTC). They are skilled at mitigating these attacks and preventing them from spreading too far. You can report any scam text you get in a couple of simple ways:

  1. Copy the message and forward it to 7726 (SPAM). This helps your wireless provider spot and block similar messages in the future.
  2. Report the message in your actual messaging app.
    • Android and iPhone offer ways to report scams, which usually entail just clicking on the message or holding down on the message, and there’s usually an option somewhere to report it as a scam, so you will never get a message again and will flag that number in the future.

Through self-education and caution, you can protect yourself and others against SMS phishing! 

Conclusion

SMS phishing is an emerging form of phishing where cybercriminals deploy techniques to trick victims into entering personal information through text messaging. This form of phishing is relatively new, so it’s important to raise awareness about SMS phishing, including what it is, how it can be prevented, and some methods to defend yourself from falling victim to one of these attacks. 

By exercising general caution, you will find yourself well-defended from SMS attacks. The best thing to do if you get a text message from an unverified source is to double-check and verify everything you are being sent over text or do not engage. You will not be getting a text message about your bank account being closed. If you feel uneasy about a text message, delete it and don’t respond. If you feel really at risk, you can report it to the proper authorities so they can deal with the phishing case. Remember that scammers often use scare tactics or some sense of urgency to trick you into feeling rushed, this is when we as humans are most vulnerable, so always check the texts you receive.

Works Cited:

  • Graham Cluley. “Covid Text Scam Warning from National Health Service (NHS).” Tripwire, www.tripwire.com/state-of-security/nhs-warns-scam-covid-19-text-messages. Accessed 26 May 2023.
  • Hebert, Amy, et al. “How to Recognize and Report Spam Text Messages.” Consumer Advice, 25 Oct. 2022, consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages#report.
  • Kaushik, Neha. “5 Best Spam Texts Blocker Apps for Android and IOS .” Geekflare, 2 Nov. 2022, geekflare.com/stop-spam-texts/.
  • “Scam Text Message Examples and How to Identify Them.” TextMagic, 9 Dec. 2022, www.textmagic.com/blog/spam-text-message-examples-and-how-to-identify-them/.
  • “Smishing (SMS Phishing).” Barracuda Networks, 21 Oct. 2022, www.barracuda.com/support/glossary/smishing#:~:text=Smishing%2C%20or%20SMS%20phishing%2C%20is,account%20information%20or%20installing%20malware.
  • Smishing-Text.Png. https://www.safetydetectives.com/wp-content/uploads/2021/03/Smishing-text.png. Accessed 26 May 2023.
  • SMS Phishing: 5 Ways to Avoid Smishing Attacks – Icorps, blog.icorps.com/5-ways-to-avoid-sms-phishing. Accessed 26 May 2023.
  • Srivatsan, Krupa. “Recent SMS Phishing Attacks and the Dangers of MFA Looka2like Domains: Infoblox.” Infoblox Blog, 1 Mar. 2023, blogs.infoblox.com/security/recent-sms-phishing-attacks-reveal-the-dangers-of-mfa-lookalike-domains/.
  • Text-Scam-1.Jpg. https://www.martininsurance.com/wp-content/uploads/2022/05/text-scam-1.jpg. Accessed 26 May 2023. 

Posted

in

by

Savannah Ciak

Tags:

, ,