Smishing Scam Alert

HOW SMISHING WORKS

Most smishing attacks work like email phishing. The attacker sends a message enticing the user to click a link or asks for a reply that contains the targeted user’s private data.

THE INFORMATION AN ATTACKER WANTS CAN BE ANYTHING, INCLUDING:

• Online account credentials

• Private information that could be used in identity theft.

• Financial data that can be used to sell on darknet markets or for online fraud.

Smishers use a variety of ways to trick users into sending private information. They may use basic information about the target (such as name and address) from public online tools to fool the target into thinking the message is coming from a trusted source.

The smisher may use your name and location to address you directly. These details make the message more compelling. The message then displays a link pointing to an attacker-controlled server. The link may lead to a credential phishing site or malware designed to compromise the phone itself. The malware can then be used to snoop the user’s smartphone data or send sensitive data silently to an attacker-controlled server.

Social engineering is used in combination with smishing. The attacker might call the user asking for private information before sending a text message. The private information can then be used in the smisher’s text message attack. Several telecoms have tried to fight social engineering calls by displaying “Spam Risk” on a smartphone when a known scam number calls the user.

Malware is often stopped by basic Android and iOS security features. But even with robust security controls on mobile operating systems, no security controls can combat users who willingly send their data to an unknown number.

HOW TO PROTECT FROM SMISHING ATTACKS

Like email phishing, protection from smishing depends on the targeted user’s ability to identify a smishing attack and ignore or report the message. If a phone number is often used in scams, the telecom might warn users who receive messages from a known scam number or drop the message altogether.

Smishing messages are dangerous only if the targeted user acts on it by clicking the link or sending the attacker private data.

HERE ARE A FEW WAYS TO DETECT SMISHING AND TO AVOID BECOMING A VICTIM:

• The message offers quick money either from winning prizes or collecting cash after entering information. Coupon code offerings are also popular.

• Financial institutions will never send a text asking for credentials or transfer of money. Do not ever send credit card numbers, ATM PINs, or banking information to someone in text messages.

• Avoid responding to a phone number that you don’t recognize.

• Messages received from a number with only a few digits probably came from an email address, which is a sign of spam.

• Banking information stored on the smartphone is a target for attackers. Avoid storing this information on a mobile device.

Should an attacker install malware on the smartphone, this banking information could be compromised.

• Telecoms offer numbers to report attacks. To protect other users, send the message to your telecom’s number so that it can be investigated. The FCC also takes complaints and investigate text-message scams.