Phishing via SMS or text message – also known as smishing – is increasingly posing a threat in the smartphone age. We tell you what you need to know about the topic.
Foto: NosorogUA – shutterstock.com
Don’t let the cutesy nomenclature fool you: Smishing is a type of cyberattack that uses misleading SMS messages to trick you into disclosing valuable information, installing malware on your device, or unwillingly providing monetary support to criminal hackers. We tell you what you should know about phishing via text message.
Smishing – Definition
Smishing is an attack method used by criminal hackers that uses SMS or text messages to deceive their victims. The incoming message should appear to come from a trustworthy person or organization. The aim is to access sensitive personal data (e.g. online banking access data) or to compromise mobile devices.
Smishing is a variation of traditional phishing methods tailored to text messages. Criminal hackers also try to exploit the fact that many people are much more careless with their smartphones than with their PCs. Suspicious messages are more likely to be opened on mobile phones and mobile devices are often not secured to the same extent as, for example, company computers.
Smishing vs. Phishing vs. Vishing
Traditional phishing has plagued Internet users since the 1990s. Smishing, on the other hand, is a phenomenon of the late 2000s. The term represents a combination of SMS and phishing – although it also generally refers to fraud attempts initiated via messenger services (such as iMessage or WeChat) that are not based on the short message system protocol. Smishing is a worthwhile attack vector for cybercriminals, especially since smartphones have become ubiquitous.
Vishing (phishing via voice call) is also a variant of phishing – but this attack method is based on voice calls.
Smishing attacks – examples
In practice, smishing attacks can be classified into three different categories, which differ in terms of their criminally motivated objectives:
1. Attempts to obtain access data
Smishing attacks can aim to obtain login details for online accounts. Online banking access is particularly of interest to criminal hackers. Paradoxically, cybercriminals regularly try to profit from the fear of being hacked: they send SMS or text messages that supposedly come from the victim’s bank.
This procedure is also known as “bank smishing”. These messages “warn” their recipients of large debits or unknown payees and provide a phone number or link to prevent potentially unauthorized access to the bank account. The link usually leads to a fake website, the phone number directly to the cybercriminal – in both cases the aim is to get the victims to reveal their usernames and passwords in order to then plunder their accounts.
Bank smishing is successful for a variety of reasons: Some financial institutions actually send SMS or text messages warning of suspicious account activity. You can usually identify genuine messages of this type because they usually contain information known to the financial institution (for example, the last four digits of your credit card or account number). However, you should be suspicious of direct links and vague references to “Your Account”. If you are unsure about the authenticity of the message: Log into your account normally via browser or app – under no circumstances click on a link in an SMS or text message.
Another reason for the good success rate of bank smishing attacks lies in the concealment tactics used by cybercriminals: the senders’ telephone numbers can be hidden or forged using certain methods – sometimes with relatively simple means, for example by sending the message from a computer. If such messages are automatically assigned to the legitimate sender number on the smartphone, the likelihood of a smishing attack being successful increases many times over.
2. Attempts to distribute malware
This type of smishing is based on classic email phishing – but adapts techniques that are specifically tailored to mobile users and devices. Some time ago, for example, a smishing attack was rampant in the Czech Republic that attempted to trick its victims into installing an app – supposedly from the Czech Post. In fact, it was a Trojan that was supposed to grab credit card information and compromise other app credentials.
Smishing attacks with the aim of spreading malware are less common because the security precautions on smartphones – especially in the case of Apple’s iOS – now make it relatively difficult to install unsigned or unverified apps. However, there is still the possibility of app sideloading, especially with Android devices – the only thing that helps here is a healthy distrust if you are asked to install an app via SMS or text message.
3. Try to collect amounts of money
This type of smishing attack is less the responsibility of technically skilled cybercriminals – it is more the case of clumsy con artists. However, such attempts pose a risk – especially for people who are less tech-savvy. In one case, a victim was contacted by fraudsters posing as personal acquaintances (the names were most likely learned via social media) and offering a sum of money in the form of a government grant. In reality, it was a classic scam: the victim was asked to pay a fee of a few hundred dollars before withdrawing.
Prevent phishing via SMS
A (timeless) study by Gartner comes to the conclusion that 98 percent of all text and SMS messages are read and 45 percent are also answered. Because many users are now aware of the danger of spam emails, text messages are increasingly becoming an attractive attack vector for criminal hackers who want to benefit from the higher trust level of smartphone communication.
Although smishing is not ubiquitous, it is becoming a common phenomenon, including in the corporate environment. According to the current “State of the Phish” report (PDF download for data) from security provider Proofpoint, 75 percent of all companies were affected by phishing attacks via SMS in 2023. A useful way for companies to make their employees aware of the dangers of smishing is through smishing simulations. Security managers would be well advised to include smishing tactics alongside phishing and vishing in their security awareness initiatives – if only to test which users are particularly vulnerable to this type of attack.
