Smishing is another form of Social Engineering.
Social engineering is:
“The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.”
-NIST SP 800-63
When you receive texts which look like this:
Or maybe you’ve received something like this:
But you haven’t recently ordered anything… Or, maybe you’re not expecting a package. It’s probably Smishing, or ‘SMiShing’ formally (combination of ‘SMS’ and ‘Phishing’.)
Explicitly, smishing is a specific type of social engineering which uses convincing looking text messages aimed at tricking people into clicking on links.
Specifically, clicking on a link in a Smishing message could download malware onto your mobile device which can affect your phones performance, or worse, gain access to your sensitive information like photos, usernames and passwords, banking info, text messages… anything really.
Smishing texts will not always concern package delivery, just to be clear.
Sometimes, a smishing message will let you know you just won something! And you need to visit a link to “claim your prize!”
Our advice: you didn’t win anything. Don’t click on the link.
Why target people via text messaging (Smishing)?
Generally, you’re more likely to open a text from an unknown sender than an email.
A recent article suggests open rates for text messages is around 98%. While email open rates from unknown senders staggers behind at only 20%
In particular, it just comes down to probability. Since you’re more likely to open up a text than an email, an internet scammer is going to use probability in their favor. This is why Smishing is on the rise.
Social Engineering and Current Events
As COVID-19 rips across the globe, targeted Smishing messages continue to hurt new victims.
Additionally, fake texts notifying people that “someone they know has tested positive for the virus” and to “visit this link to learn more” are built to play on current events and invoke an impulse to click on the link and learn who’s been infected.
Similarly, other scams include fake texts from The Red-Cross promising free face masks.
See how this message is crafted to invoke a quick impulsive reaction?
It’s just wrong. There are people out there who will fall for these scams. Indeed, it shows there is truly no sacred ground when it comes cyber security attacks. Everyone is a target.
How do I defend against Smishing and other forms of Social Engineering like Phishing?
- Know the signs:
- Urgency in message
- Unrecognized Sender
- Message contains links
- Don’t click on links!!! Please don’t click on links you think are spam. Pretty please.
- In particular, never enter personal information if you’re not 100% sure a message is legitimate.
- Immediately delete smishing/phishing messages.
- Finally, block the suspected smishing number or email.
Moreover, if you’re a victim of a Smishing scam (or Phishing scam), report it to the FBI’s Internet Crime Complaint Center (IC3)!
Really, you can do this! And it helps everyone!
All in all, we should always be suspicious of messages asking us to do things like send money, enter information, or open links if we don’t know who they’re from.
Ultimately, it never hurts to err on the side of caution if we have even the slightest feeling we might be getting scammed. Trust your gut.
Be safe out there friends.