To the unsuspecting person, it can seem like an innocent request. But these texts are asking to click on some random link to “verify” their details - including bank account numbers and other sensitive data –delivering this information to online hackers and cyber criminals.
Learn how to identify smishing scams to protect yourself and others.
Evade smishing scams like a boss
In the age of smartphones, smishing (SMS phishing) scams are becoming more common. They take the form of a text message from your bank or internet provider and pretend to be offering help and advice. Unsuspecting people may click on the link in the message, only to find that they have just given the hacker unrestricted access to their device and other sensitive information.
Is smishing related to phishing?
"Smishing" is an abbreviation for "SMS phishing." It is a type of phishing where the victim receives a text message from a criminal pretending to be a bank or other institution. This type of fraud message usually asks for personal information or requests that the victim visits a website where they are asked to input their personal details.
How smishing takes advantage of victims
Figures from the ACCC's Scamwatch shows that smishing scams have increased by more than 27% (2021 vs partial 2023). Attackers often target mobile devices because it is much easier for them to get a user to click a link on their phone than it is from a desktop computer.
Attackers use smishing because they have found that this tactic works well for them. Gartner reports that users read 98% of text messages and respond to 45%. This makes text very logical for hackers to use as an attack vector, especially when, as reported by Gartner, only 6% of emails receive responses.
Top smishing attacks to be aware of
Anecdotally, there has been a huge spike in the success rate of these types of attacks. They can occur when scammers send text messages to unsuspecting mobile phone owners with links to fake websites which can infect their devices.
Here are some smishing attacks that you should be aware of.
Smishing through customer support
As companies continue to grow, they often rely on more third-party application providers. Since some of these applications are cloud-based, companies need to have a good customer relations team.
One of the most common problems we see in practice is businesses receiving complaints from customers about their financial information being stolen and used by criminals to make purchases or transactions. The trend recently is that scammers will compromise an existing customer relationship, and then call up your company's customer service department asking them to reset access credentials for various accounts.
Financial service smishing
Financial service smishing is a form of phishing that uses text messages to trick users into revealing personal information, such as credit card numbers and bank account details. If they click on the link in the text message or make the call, however, they are connected to fraudulent automated voice response systems where they are asked for personal identification numbers (PIN), passwords, their Tax File Number and/or date of birth to "unlock" their account.
Smishing is becoming more prevalent during the COVID pandemic because attackers know that people will be on edge about pending charges related to their bank accounts, and this could potentially cause them to unknowingly follow a link or give out personal information to avoid losing assets.
The attackers exploit the user's emotional well-being and keep on sending SMS messages that can easily trick an unsuspecting user.
Prize or gift card smishing
Prize or gift card smishing is an attempt to trick users into sharing personal information through the use of phishing text messages that appear to be legitimate prize or gift card giveaways. Many times, these incidents go unreported because no financial loss occurs directly as a result of the scam. However, users need to know how to identify and handle such scams so they are not tricked in the future.
Stop smishing in its tracks
Follow these tips to avoid smishing attacks:
Think before clicking on links: Never click on links sent by text messages or emails, especially if they ask for your personal information. Scammers can send you any message they want and make it look like it has come from a trusted source. Always remember that the only way to prevent smishing is to think before you click.
Don't download suspicious apps on your phone: Never download an application that seems suspicious or doesn't immediately tell you what it's for. If there are any words in the title that are misspelled, unclear or have unclear meaning, don't download them. Those are red flags for malicious apps.
Opting not to use SMS password recovery options: SMS password recovery is a commonly used tool that allows users to reset or recover their passwords by receiving an SMS text message on their phone. Oftentimes this option is available when one has forgotten the password they used to sign up for an account with a service, often providing instant access back into the user's account. However, if scammers can gain access to your phone number, they can also use SMS password recovery tools as a means of hijacking your accounts.
Using multi-factor authentication (MFA): Multi-factor authentication, in which users must provide more than one piece of information to confirm their identity, is used by many companies today. This can prevent smishing attacks that rely on tricking people into entering login credentials into illegitimate sites masquerading as trusted services. One example of multi-factor authentication is when a user enters their password and receives an automatic push notification asking them to approve the login attempt before the login succeeds.
What if you’ve been smished?
The best way to protect yourself from smishing is by being aware of the techniques that a scammer might use and making sure you don't fall prey to them. The more steps you take to keep your personal information secure, the less likely you'll be tricked into giving up access to your financial accounts or sensitive data.
Here are a few ways every user can avoid falling victim to smishing.
Report it to authorities
Report the scam. If you’ve fallen victim to a smishing attack or received a smish, report it to ACCC’s Scamwatch so that they are aware of the trend and can keep an eye out for future scams.
Change your passwords
Change your passwords as soon as possible if account information was compromised. This way an attacker can't continue to access your accounts.
Don'tlet smishing affect your job
Employee education is key to preventing smishing. The more employees know, the better they can protect themselves and their company from smishing attacks. Training enables employees to avoid falling victim to these attacks in the first place.
The dangers of smishing and the lack of awareness that most people have about it, is a serious issue. With proper education and awareness, we can avoid becoming victims of these scams.
Protect yourself and your employees and request a demo of Phriendly Phishing’s smishing and cyber security training today.