Did you know that billions of text messages are sent each day? It’s become a major forum for communication. While texting can be very convenient for communicating with friends, family, and coworkers, attackers can also use it against you.
Smishing, also known as “SMS phishing,” is a phishing attack that is received via text or instant messaging. Sometimes these attacks come from unknown numbers, and sometimes they seem to come from trusted number. And global reports of smishing attacks are surging—increasing by as much as 270% over a year.
Always be on the lookout for manipulation tactics in texts, no matter who they seem to be coming from.
Attacker’s Tactics
Smishing has become very popular with attackers, since people tend to open text messages more readily than they open unexpected emails. Like phishing, attackers often use emotional manipulation to draw you in.
Here are some examples of manipulative language:
• Urgency and Fear: “Your account may have been compromised!You need to act quickly by clicking on this link to retrieve your account information.”
• Familiarity: “Hi. It’s Uncle Leo here. I noticed I don’t follow you on social media! Click here so we can follow each other.”
• Curiosity: “OMG! I didn’t know you’re in this video!! That’s so cool.”
• Excitement: “Congratulations, you’ve won a year-long free streaming subscription!”
Using disguised links is the most common way attackers try to get your information via smishing. Clicking these links could lead to a malicious lookalike website or login page … and result
in malware, compromised account credentials, loss of money, or exposure of confidential information. Oftentimes, these malicious links are shortened to hide their true destination. Using a tool such as a URL expander is a great way to determine if a shortened link is harmful.
But I Have This Number Saved!
Don’t assume that because someone has your contact information, they are legitimate. While we tend to guard our phone numbers more closely than other contact details, they can still be easy for attackers to find. These attackers know that smishing attacks can feel more personal than an email attack.
Technical spoofing tools can allow these attackers to make it seem like their messages are coming from a familiar sender. Always be wary and trust your gut if a message seems off. Criminals can also steal a device, and then send scam messages to the people in the victim’s contact list. So always be cautious, especially when you see manipulative language or an odd link in your messages.
SECURITY TIPS!
1. Don’t Enage – Do not engage directly with a suspicious or unexpected text message. Even replying “STOP” or clicking on the link to make sure they don’t contact you again is harmful. Responding lets them know you’re a “real person,” setting you up for additional harassment down the road.
2. Report – Report suspected spam and smishing messages through your device. Trust your gut: If a text seems suspicious, it probably is. Reporting it can help protect against future smishing attacks.
3. Confirm – If you believe an unexpected message could be safe, take steps to confirm it. Visit a known website or contact the sender via another, trusted communication channel. Don’t reply directly to the text.