Text messaging is one of the most common features used on mobile phones. There are billions of text messages received around the world each day, and a growing number of these are spam, phishing, or other malicious attacks. Many people assume mobile phones are safe, and don’t realise that malware and phishing attacks are also a concern for mobile devices.
SMiShing (which is a combination of SMS and Phishing) is a form of criminal activity using social engineering techniques. Phishing is the act of attempting to obtain personal information (such as passwords and financial details) by impersonating a trustworthy business in an electronic communication. Short Message Service (SMS) is the technology used for text messages on mobile phones. By combining the two, SMiShing utilises mobile phone text messages to trick people into disclosing their personal or financial information via a link to a false website, or via a fake telephone number.
These days, everyone is accustomed to receiving text messages, and we rarely think about the security risks of clicking on a link in an SMS. Popular Web browsers have built-in phishing protection to alert you to suspicious sites. You can also hover over a link to display the real URL on a PC, however mobile phones aren’t as well equipped to help users avoid malicious text messages.
SMiShing has been around for more than five years, but according to Mary Landesman, senior security researcher at Cloudmark, SMS spam campaigns in the U.S. grew by 400% in the first half of 2012, and about one-third of all SMS spam includes SMiShing attempts.
Types of SMiSh Messages
Did you know that more than 90% of text messages are opened within 15 minutes of being received? This is the main reason so many SMiSh attempts are successful. Criminals prey on this immediate responsiveness. SMiSh messages often have a sense of urgency to get you to act quickly without a second thought. They may be offering you something for free (e.g. “The first 20 responses win a $200 supermarket gift card”) or be advertising an amazing discount that is only available if you “ACT NOW!”. SMiSh messages may also urge you to respond immediately to keep something bad from happening. For example, the message might appear to be from your bank, telling you that your credit has been compromised and you need to verify your account straight away using a web link (which will actually direct you to a phishing website that will steal your banking credentials).
SMishing can be independent (where the scam is solely in message form) or can be used as a sub-set of Vishing (where the message asks you to call a number). FraudWatch International sees a lot of scams involving government taxation departments, where the initial contact is via a spam text message. Instead of receiving a call impersonating the taxation office, the victim will receive an SMS saying something like, “This is the Taxation Refunds Department. You are eligible for a $1,000 refund. Call us on 1300 111 111 to find out more”.
You workplace is at risk too
SMiShing isn't just risky for individuals. With more and more of us using our personal mobile devices at work, corporate data and networks can be affected too. As with phishing, SMiShing can be used to plant malware such as a keystroke logger. Once a smartphone is infiltrated, the criminal can use it to steal data or spread the malware to all of your contacts.
Ways to avoid SMiShing Attacks
Most of us are aware of how to spot a phishing email, however, we are still naïve when it comes to text messages that we receive directly to our phones. The criminals are also conniving enough to make their SMiSh messages appear to be from a trusted source like a friend, or your bank. Web links embedded in text messages are often shortened URLs so you don’t know where they will really lead you. Below are some tips on avoiding being the victim of a SMiShing attack:
- Avoid tapping links within text messages. Be extra cautious if the message appears to come from someone you know, because the SMS ID can be faked.
- DON’T REPLY to text messages that request private or financial information from you.
- If a text message is urging you to act or respond quickly, stop and think about it. Remember that criminals use this as a tactic to get you to do what they want.
- Never reply to a suspicious text message without verifying the source. If your credit card has really been compromised, you should call the number on the back of your card to discuss this matter with your bank.
- Never call a phone number contained in a message from an unknown sender.
- If you are using an Android device, you should consider adding security software to your mobile. Smartphones are essentially small computers loaded with gigabytes of sensitive information that criminals want. You should protect your mobile phone the same way you protect your PC to avoid malware and phishing attacks. Symantec and McAfee are examples of security software providers.
- In some cases check mobile links by taping and holding the link on your smartphone, so that you can see where it is pointing to.
Note: It is important to recognise the distinction between Telemarketing and SMiShing. Whilst telemarketers can be annoying, they are generally not being malicious. By registering your number on the Do Not Call Register (https://www.donotcall.gov.au) you will virtually eliminate any calls that are not scams, because most legitimate telemarketers obey the rules and laws around contacting customers.
SMiShing is likely to become more prominent in the coming years. Mobile phone users need to exercise a healthy dose of suspicion with every message they receive.