What is Smishing and How to Protect Against it?

Most people who use email somewhat regularly have heard about phishing and may even have some idea how to protect themselves against it (if you don’t here’s a good reminder on how to protect from an email-based phishing attack).

However, what a lot of folks don’t know is that phishing doesn’t have to come from only email.

Although email is the most popular target for phishing attacks, phishing can also be done via text messages or SMS (smishing), phone calls (vishing), social networks direct messages (angler phishing), hypertexts (HTTPS phishing) and so on.

In this article, we’ll explain what one of these phishing methods is, particularly smishing, how scammers target users via SMS messages and how to best protect against it.

How Criminals Use SMS Messages for Fraud?

One of the biggest dangers of smishing is that not that many people are actually familiar with it.

According to the 2020 State of the Phish report by Proofpoint, less than 35% of the population can define smishing. What’s even worse is that the younger age groups, 18-22 and 23-38, who should normally be more familiar with things like these (since they more often use Android devices) did not fare much better compared to those over 55 years.

On the other hand, there were around 131.2 million Android users in the United States in 2021 and it’s estimated that in 2022 that number will rise to 133.4 million, per Statista.

An average user aged 18-24, receives 1,831 text messages per month, or around 61 per day, according to Experian.

This is exactly what fraudsters are looking for. If you receive 50+ SMS messages every day, how much attention do y0u really pay to each of them? We use our mobile devices often without thinking to mindlessly scroll through social media, check email, have chats on Viber or WhatsApp and, of course, text others and have others text us.

Phishing Using Text Messages is on the Rise

Scammers are well aware of all of this and smishing attacks have increased by nearly 700% in the first 6 months of 2021 (January-July) compared to the last 6 months of 2020 (July-December).

To make matters worse, encrypted messaging apps like WhatsApp and Signal are not immune to text-stealing malware. According to the EFF (Electronic Frontier Foundation), an international hacking group called “Dark Caracal” has been using phishing links sent through text message, WhatsApp, Messenger and Signal to redirect Android users to download fake updates for these apps and steal their sensitive data.

Do you know how to protect your Android phone or tablet? Here are 15 ways to make it more private and secure.

What are the Most Common Smishing Attacks?

Smishers employ mostly similar tactics that email phishers do. Usually, either the potential victim needs to urgently update their login information, claim a reward, or make some other action on their bank or credit account.

Of course, in doing so, the victim is opening the door for the fraudster to steal their confidential information and more.

Although “smishers” can use any kind of text message for this, there are 4 main types of smishing that you should particularly be aware of:

1) A notification that you’ve won an award and need to claim it

Who doesn’t like to hear that they’ve won something? Especially if they never participated in the lottery but their number just randomly got drawn.

Why, of course I’m going to “respond promptly” with all my sensitive information to something like this:

Of course, this is from an email, but you might receive a similar text message as well, usually with a malicious link that you need to click to “claim” your prize. Before you do that, stop a second to think – did you enter anything?

2) Text messages claiming to be from your bank

Another common type of smishing are messages that supposedly come from your (or any bank, it doesn’t have to be the one you’re a client of).

These messages will usually tell you something along the lines of “your account has been locked” and ask you to click on a link where you’ll need to enter your password to log in. Of course, by doing this, the scammer can steal personal information from you.

In reality, banks will rarely send you text messages and if they do, they’ll be about suspicious purchases from your account or for authentication codes, but they will never include links.

3) Fake shipping messages

More and more brands use SMS to deliver important updates to their customers, including letting them know, for instance, that their package has arrived.

Threat actors, of course, are trying to do the same.

These messages can be particularly dangerous. A new type of text message scam, the “Flubot malware” has been active in Australia in September last year, as cybercriminals were sending text messages claiming to be regarding packages that their victims ordered.

These messages also included a link, that if the user clicked on would send them to another page to “track the package”, which of course, contained malware and was used for stealing passwords and other sensitive information.

4) Fake surveys

Fake surveys are perhaps the least common type of smishing for the simple fact that even real surveys are often unsolicited so people rarely respond to these, let alone fake ones.

That said, from time to time, someone gets one of these and is bored enough to respond without thinking.

How to Protect Against Smishing?

Text message or SMS phishing, is on the rise as more and more businesses use SMS to communicate with their customers. The FBI’s Internet Crime Complaint Center (IC3) reported in 2020 more than 240,000 cases of phishing, smishing, vishing and pharming, which cost over $54 million.

So how can you stay safe and avoid falling victim to scams like these?

  1. Don’t click on links in SMS messages that you’re not 100% sure where they came from. These links will most likely contain malware which can then spread on your Android device;
  2. Pay attention to messages from strange phone numbers like “5000”. Such numbers go to email-to-text services and are often used by criminals;
  3. Your bank or credit agency will never, NEVER, ask you to update your account information in this way. If you receive such a message, contact your financial institution and warn them about the scam;
  4. If you receive an “urgent” message or a security alert, don’t rush to take action;
  5. Don’t “claim rewards” for prizes you never participated in. You can’t win something if you don’t play;
  6. If you receive a fraudulent SMS, report it to the FCC or FTC.

Finally, keep your eyes open and if you’re not sure about a message and it looks even a little “phishy”, don’t take the bait.