14 Oct SMISHING: WHEN SCAMMERS USE SMS MESSAGES TO STEAL YOUR DATA
Mobile is the new frontier for cybercrime. A mobile user is 18x more likely to be exposed to a phishing attempt than malware: when people are on their phones, they are less wary. Many assume that their smartphones are more secure than computers. However, less scrutinized channels like SMS, Skype, WhatsApp, games and social media are being leveraged at scale to distribute phishing links in places users do not expect.
In fact, a huge 48% of phishing attacks are on mobile according to Cloudmark and the number of mobile phishing attacks is doubling every year. Mobile phishing is so rife that a new type of attack is launched once every 20 seconds. That’s more than 4,000 new mobile phishing attacks per day and that’s not taking into account the millions of existing phishing pages. [1]
Let’s have a look at smishing, a phishing cybersecurity attack carried out over mobile text messaging, also known as SMS phishing.
What is Smishing?
As the definition of smishing suggests, the term combines “SMS” (short message services, better known as texting) and “phishing.” To further define smishing, it is categorized as a type of social engineering attack that relies on exploiting human trust rather than technical exploits.
When cybercriminals “phish,” they send fraudulent emails that seek to trick the recipient into clicking on a malicious link. Smishing simply uses text messages instead of email. [2]
The objective is, as it always happens with phishing, to have access to users’ personal information and sensitive data, which can then be used to commit fraud or other cybercrimes (including compromising accounts, systems, and/or other personal or organisational Information Technology resources).
Typically, this includes stealing money. Therefore, smishing text messages are often purporting to be from your bank, asking you for personal or financial information such as account number or PIN.
However, keep in mind that although each smishing attack uses similar methods, its presentation may vary significantly. For example, cyber attackers have taken advantage of the Covid-19 pandemic to target susceptible victims, by sending text messages using information and buzzwords specific to the virus (fake updates about the Coronavirus situation in their location, charity donations, etc.).
How to prevent Smishing
The good news is that prevention is possible through knowledge and awareness. How to keep yourself safe? By doing nothing at all, by simply refusing to engage. In essence, Cyber attacks including Smishing can only do damage if you take the bait.
Keep the following things in mind to help you protect yourself against smishing.
- Beware of text messages pressing you to answer and share your data quickly. Slow down if a message is urgent. Remain skeptical and cautious.
- Beware of text messages containing any of these words: Account, Secur*, Verif*, Com-, Update, Support, Service, Login, Auth*, Confirm. These are the top 10 keywords used for mobile phishing. [3]
- Do not respond. Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers.
- Call your bank or merchant directly if doubtful. Remember, any urgent notices can be verified directly on your online accounts or via an official phone helpline.
- Avoid using any links or contact info in the message. Avoid using links or contact info in messages that make you uncomfortable. Go directly to official contact channels when you can.
- Check the phone number. Odd-looking phone numbers, can be evidence of email-to-text services. There are many tactics scammers use to mask their true phone number.
- Opt to never keep any of your bank account or payment tools information on your phone.
- Use multi-factor authentication (MFA). An exposed password may still be useless to a smishing attacker if the account being breached requires a second “key” for verification. MFA’s most common variant is two-factor authentication (2FA), which often uses a text message verification code. MyBank also uses multi-factor authentication to protect your payments.
- Never provide a password or account recovery code via text. Both passwords and text message two-factor authentication (2FA) recovery codes can compromise your account in the wrong hands. Never give this information to anyone, and only use it on official sites.
- Use an anti-malware app and VPN services.
- Report all SMS phishing attempts to designated authorities and spread the word to help others avoid falling victim.
Always keep in mind: neither your bank nor MyBank will ever ask you any bank account-related information, such as account number, PIN or other credentials, via a SMS message.
[1] https://www.wandera.com/mobile-phishing-report/
[2] https://www.kaspersky.com/resource-center/threats/what-is-smishing-and-how-to-defend-against-it
14 Oct 2021