What is SMISHING?
A combination of SMS–short messaging service, or texting–and phishing, smishing refers to text messages sent by attackers to gain personal and sensitive information. Like spear phishing, smishing attacks rely on tricking users into clicking a link to provide sensitive information, like login credentials which can be used to access target systems, or even deposit malware.
This method of attacking has recently become more popular due to the ease of gathering phone numbers, the prevalence of smartphones, and the inferred trust of a text message over a traditional email. While emails can contain any number of letters or special characters, phone numbers around the globe follow specific patterns, such as the three-four-three 10-digit pattern in the U.S. and attackers can try different combinations or send out blasts to a specific range. Additionally, phone numbers are often associated with social media, making them easier to find while also providing attackers a repository of information to make smishing attempts more personalised.
Scammers are also succeeding due to the relationship between a user and their phone. Whether they’re on the go or distracted with something else, users are more likely to trust their smartphones or skim a message rather than reading it carefully. To best protect against smishing – and phishing scams in general – it’s important for users to scrutinise phone numbers, read messages carefully, and never click on an unfamiliar link.
How to Spot a Smishing Attempt
Unfortunately, there is no shortage of phishing attacks on any device. Whether cybercriminals are hunting for credit cards, login credentials, or any other bits of sensitive information, SMS phishing attempts are threats that mobile users need to be prepared for.
A common smishing attack involves banking services. Posing as a legitimate financial institution, these text messages can appear to be time sensitive to encourage victims to log in without thinking critically.
Figure 1: Sample text message alerting victim of account compromise, encouraging them to sign in with link provided
The best way to react to these types of messages is to bypass the link and go directly to the bank itself. Go to the bank’s website, log in to their app or even call a local branch to verify if there are any issues with a bank account.
Another example of smishing attacks takes advantage of multifactor authentication (MFA). Attackers will send credential text messages to users, encouraging them to sign in. Hackers build these pages to look like the authentic credential sites that users are familiar with.
Figure 2: Sample text message encouraging a victim to sign in at the provided link so they can verify their identity.
With attacks like these, users must think carefully. Have they signed into something recently? Is this the normal way for them to verify their identity? As with banking institutions, it’s best to go directly to the source and verify. It’s important to note that while some attackers are taking advantage of MFA, the added security of MFA is still an incredibly important defence against cybercrime.
Figure 3 is a realistic example based on a smishing message that one of our employees received:
Figure 3: Screenshot of a smishing attempt with the strange number and incorrect link highlighted
How to Avoid Being Smished
As mentioned earlier, one of the best techniques to avoid being smished is being critical with the text messages you receive. Never click on a link you’re unfamiliar with and don’t feel obligated to respond to a strange text from a number you don’t recognise.
For security professionals, it is important to implement user education. Training and testing your company on how to identify phishing and smishing will greatly reduce the likelihood of a successful phish attempt.
Taking it a step further, another important piece of this puzzle is the organisation-wide adoption of a Zero Trust stance. It’s important to monitor your environment with the understanding that nothing should be implicitly trusted – anything in your network can be used against you. Products like endpoint detection and response (EDR) provide broad visibility and machine learning (ML)-based detection for real-time threat analysis. An EDR product can be paired with a security orchestration, automation, and response (SOAR) platform for automation-based threat response.
SITC works with some of the biggest names in cybersecurity solutions, and cybersecurity awareness training to provide you with a one-stop shop for everything you need to keep your organisation protected across the threat landscape. Our partner Palo Alto Networks offers endpoint detection and response (EDR) solutions in the form of Cortex XDR: an industry-first in extended detection and response.