SMiShing: Short, sweet and evil

By Miguel Angulo, Channel Engineer and Evangelist, Check Point Software.

Have you ever received a text message from someone you don't know, asking if you're interested in winning a free iPad? Or maybe your streaming account is locked, and they say that they can help you unlock it for a small fee? If so, then you've been SMiShed. To celebrate the final day of Cyber Security Awareness Month, I would like to provide as much insight about smishing as possible…

Phishing is the dominant delivery method that cyber criminals use to deliver malware and steal sensitive information. The strategy has been adapted for mobile attacks, and it's known as smishing.

In 2021, the number of mobile devices hit 15 billion worldwide and it is expected to reach 18 billion by 2025. The volume of mobile devices connected to the internet provide hackers with opportunities to target people with phishing attacks over text/SMS messages; also known as smishing.

In smishing attacks, cyber criminals send fraudulent text messages and make them look like they are coming from a legitimate source to get you to click on a link or attachment that will infect your device with malware or take you to a fake website, where they will collect your personal information.

Cyber criminals have many tools at their disposal with which to send fraudulent text messages. One of these tools is called Robotext. With this tool, cyber criminals can spoof their text messages to make them look like they are coming from a local number, helping them to gain a victim’s trust. More than 87 billion spam text messages were sent to U.S. users in 2021, exceeding spam robocalls by more than 15 billion, according to the latest RoboKiller report. The same report states that smishing attacks are costly for victims, as cyber criminals have stolen more than $10 billion through them.

Most common text scams

Now that you know what smishing is and how much it costs the U.S. economy, let’s take a look at the most common text message scams:

Delivery: Cyber criminals send a malicious text/SMS message to you (the victim) pretending to be an Amazon, FedEx, DHL or a U.S. Postal Service employee, and indicate that your package is on hold, that they are waiting for your information to be updated, or that you missed a delivery and you have to pay an extra fee to get the package delivered. A malicious link is provided for you to click. The link will download malware on your mobile device or will take you to a deceptive website that steals your information.

Health (COVID-19): Cyber criminals took advantage of the pandemic outbreak to send malicious text/SMS messages offering COVID-19 tests, places to get vaccinated, or informing people that they had been in close contact with someone contending with an active case of COVID. A malicious link was then provided for the purpose of stealing credit card or insurance information.

Bank: Cyber criminals send deceptive text/SMS messages to make you to think a new login to your bank account just took place and that an account verification is needed immediately. A malicious link is provided for the purpose of stealing bank login information.

Online purchases: Cyber criminals may send fraudulent SMS messages offering the latest products at a very low price, for a very limited time. The cyber criminal makes you believe that the “too good to be true” promotion comes from a well-known online retailer, like Best Buy or Amazon. If you purchase a product, as you can image, you never receive the product and fraudulent purchases start appearing on your bank statement.

Anatomy of a smishing message

How do you recognize that a fraudulent text/SMS message is smishing? Cyber criminals use similar techniques to the ones they use in phishing, such as urgency, FOMO or authority. Generally speaking, do not respond to or engage with text/SMS messages that looks suspicious, such as those that ask for your personal information, or offer you a “too good to be true” product or service.

Here are the warning signs:

1. Be aware of panic signals.
2. Sentences written with a sense of urgency and fear.
3. Sentences with misleading information and misspellings that help them avoid blocking and filtering tools.
4. “Too good to be true” messages.
5. Mysterious links or shortened links. The only purpose of these links is to collect your credentials, financial or personal information.
6. The use of well-known brand names to build trust and credibility.

Protecting from smishing

Below are tips that you can use to protect yourself from smishing attacks:

1. DO NOT trust messages asking for personal information.
2. DO NOT respond to suspicious text messages.
3. DO NOT click on any unknown links.
4. DO NOT provide any information from a text or a website.
5. DELETE all suspicious TEXT messages.
6. BE AWARE of similar practices happening on other platforms, such as WhatsApp, Facebook Messenger, Telegram, Instagram or TikTok.
7. HANDLE SMS messages with the same level of security that you would use to handle your emails.
8. REMEMBER: Think before you click!

Lastly, keep the operating system of all your mobile devices updated and also install anti-virus software that can help you stay protected from zero-day malware, phishing, smishing and account takeovers.

For more insights from security expert Miguel Angulo, click here. Lastly, discover new trends, expert interviews, and so much more – subscribe to the CyberTalk.org newsletter.