Smishing: Text Messages from Scammers

Like most people, you have probably received a text message from a phone number that seemed a little “fishy”. The message may have claimed to be from your bank, asking you to verify your account information, or it may have promised you a gift card if you clicked on a provided link.

Smishing (also referred to as SMSishing and SMS phishing) is a type of cyberattack that uses text messages to mislead people into revealing sensitive information or downloading malicious software. In this blog, we will explore what smishing is, how it works, and most importantly, how to protect yourself from it. We will also provide smishing examples to show you how sneaky these scams can be.

What Is Smishing?

Smishing is a type of phishing cyberattack that targets individuals via text message. The term "smishing" is a combination of short message service (SMS) — or text messaging — and "phishing". Like traditional phishing scams, smishing attempts to trick victims into revealing sensitive information or downloading malware onto their mobile devices.

Smishing messages may be posing as a legitimate source. They may contain urgent language, such as, “your account has been compromised” or “your package is being held at the post office”. Scammers may also use scare tactics, such as threatening legal action or fines if the victim does not comply.

One of the ways scammers get victims' phone numbers is by using public databases or purchasing lists of phone numbers from third-party vendors. They may also use social engineering techniques, such as posing as a survey or contest, to trick individuals into providing their phone numbers.

It is important to note that smishing attacks can occur on any type of mobile device, including smartphones and tablets. Scammers may even use spoofed phone numbers or fake caller IDs to make their messages appear more legitimate. We recently wrote a blog post about a smishing campaign that was spoofing individuals’ own phone numbers, making it appear that they had received a text from themselves.

How Does Smishing Work?

Smishing works by preying on individuals' curiosity, trust, and willingness to help. Bad actors are often well-prepared with scripts that make them seem knowledgeable or legitimate. They may use industry-specific jargon, official-sounding language and even reference personal details to create a sense of familiarity.

Scammers may also use their charisma to manipulate victims. They may play on emotions such as fear, pressure, or excitement to create a sense of urgency or importance. For example, they may claim there is fraudulent activity on the victim's account or they have won a prize and must act quickly to claim it.

Smishing attacks aim to trick individuals into providing personal information, such as account numbers, passwords, or social security numbers. Scammers may also use links to direct victims to fake websites to steal additional information or install malware onto the victims' devices.

It is important to remember that scammers are experts at deception, and they can be compelling. However, there are some red flags to watch out for regarding smishing. These include unsolicited messages from unknown numbers, messages that contain typos or links with incorrect website names, and messages that ask for personal information or payment.

How to Prevent Smishing

Preventing smishing attacks involves being cautious and vigilant when it comes to unsolicited text messages. Here are some steps you can take to protect yourself:

• Be wary of unsolicited messages: If you receive a text message from an unknown or suspicious number, do not click on any links or respond to the message. Scammers often use urgent or threatening language to convince victims to act quickly. Instead, verify the message's legitimacy by contacting the organization directly using a verified phone number or email address.
• Do not provide personal information: Never provide personal information via text message. Legitimate organizations will never ask you to provide personal information via text.
• Do not click on suspicious links: Smishing messages often contain links that direct victims to fake websites or install malware onto their devices. Do not click on a link if you are unsure if it is legitimate. Instead, verify the website's spelling to ensure its authenticity.
• Use anti-malware software: Install anti-malware software on your mobile device to help protect against smishing attacks. This software can detect and remove malware and alert you to potential threats.
• Keep your software up to date: Keep your mobile device software and apps up to date to ensure you have the latest security patches and bug fixes.

How to Report Smishing

If you believe a smishing attack has targeted you, it is essential to report it to the appropriate authorities. Reporting smishing attacks helps protect you from further harm and prevent others from falling victim to the same scam. Here are some steps you can take to report smishing attacks:

• Contact your mobile carrier: Your mobile carrier can help you report the smishing attack and may also be able to block future messages from the same number. Contact your carrier's customer service department and provide them with relevant information, such as the sender's phone number and the text message content. Be sure to save screenshots of the message as evidence.
• Report to the Federal Trade Commission (FTC): The FTC is a government agency that handles fraud and identity theft reports. You can report smishing attacks to the FTC by visiting their website or calling their toll-free number. Again, be sure to save screenshots of the message as evidence.
• Report to the Internet Crime Complaint Center (IC3): The IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). You can report smishing attacks to the IC3 through their website. This organization helps track down and shut down online scams.

Examples of Smishing Attacks

Smishing attacks come in many forms, and scammers constantly develop new tactics to trick unsuspecting victims. Here are some smishing attack examples to look out for:

1. Bank account scams: Scammers send text messages posing as banks and asking recipients to confirm their account information. The attacker may ask for personal information they can use to steal the victim's identity or include a link to a fake banking website.
2. Delivery scams: Scammers may send text messages claiming to be from delivery companies such as FedEx or UPS. The message may say a package is waiting for the recipient, and they need to click a link to provide the delivery information. The link may lead to a fake website resembling the delivery company's site.
3. Prize scams: Other scammers may send text messages claiming the recipient has won a prize, such as a free vacation or a gift card. They may ask for personal information or require the recipient to pay a fee to claim the prize.
4. Job offer scams: Scammers send text messages offering job opportunities, often with promises of high pay and flexible hours. They may ask the victim to provide personal information or pay a fee for training materials or equipment.
5. Invoice or order confirmation scams: These scams involve false confirmation of invoice or order confirmation. The scammers prey on victims' fear of unwanted charges by driving them to click on malicious links.
6. Healthcare scams: These attacks usually stem from health-related initiatives such as Medicare, Medicaid, COVID-19, and others. Attackers usually target victims' fears related to their health or finances.

It is essential to be aware of these and other types of smishing attacks and be vigilant in protecting yourself against them. Remember to never click on links or provide personal information to unsolicited text messages, and always report any suspicious messages to your mobile carrier and the appropriate authorities.

We Are the Experts in Cybersecurity

At Compass IT Compliance, we are experts in cybersecurity, with a focus on helping organizations protect their sensitive data. Our team of certified professionals have spent the past decade assisting organizations in offering security awareness training to educate staff on recognizing and responding to cyber threats such as smishing. If you have concerns about smishing or any other cybersecurity threat, contact us online for assistance.

Do not let cybercriminals compromise your security and reputation. Let Compass IT Compliance help you build a culture of security in your organization and achieve and maintain compliance with federal, state, and industry regulations.