Short for SMS phishing, it is any form of phishing carried out via text or SMS message.
Phishing is the fraudulent attempt to obtain sensitive information by disguising as a trustworthy entity in electronic communication. The most well-known method of phishing is via email.
Smishing is a security attack in which the user is tricked into downloading a Trojan horse, virus or other malware onto a smartphone or another mobile device. People can also be tricked into giving private information through the same method.
Why is smishing becoming more common?
The increase in alternative forms of electronic communication, such as texting and messaging apps, has provided a new platform for smishing.
There is now a huge quantity of mobile devices to target. Data breaches that include mobile phone numbers provide an easy in-road for attackers. For example, Uber was breached in 2016 with names, email addresses and mobile phone numbers of 57 million users around the world downloaded by a third-party.
While email filters are becoming more sophisticated at spotting phishing attacks, it is more difficult to distinguish between a genuine and fake text message.
Text messages tend to elicit a greater response and urgency than emails. People are also more trusting of a text message than an email despite attackers being able to easily disguise fake messages.
There has also been an increase in the number of workers using their own personal devices to access work emails and other sensitive documents, meaning attackers can gain access to corporate resources much easier.
Users are advised to be as aware of security for mobile devices as they are for desktop computers.
How does smishing work?
Smishing is often carried out by sending a text message with a message and link to a website. Users click on the website and once they arrive at the URL are prompted to download a program that allows a phone to become controlled by hackers, or submit personal information.
Smishing uses elements of social engineering to get people to share personal information. The messages often leverage a person’s trust or fear in order to obtain information. For example, the message will say that if you don’t click a link and enter your details then you’ll be charged per day for use of a service.
Perpetrators may be looking for anything from online passwords to social security numbers or credit card information. Even if you don’t enter any information, attackers can still collect personal data from your device by installing cookies on your phone that track your behaviour.
Argos smishing scam
A recent smishing scam involving Argos has taken place this year. People have been receiving fake Argos text messages saying they have a package waiting, including a link or a fake refund message for £160 on an Argos card.
The message looks like it has been sent by Argos, so tricks you into clicking on the URL to find out what’s waiting or to enter bank details for a refund.
This scam has been particularly dangerous because if you have ever ordered anything from Argos, it will appear in a message thread along with the genuine messages. Scammers are able to get messages to appear in real threads via a process called number spoofing.
In response to the Argos text scam, CEO and founder of Cyber Risk Aware Stephen Burke said: “There has been a huge rise in smishing as a route to phishing and this proves it. This new technique means that people are not used to being targeted in this way and think because it is a phone rather than a computer that they are somehow more protected. This is untrue, phones are computers and cybercriminals want to gain access to the device if they can, as well as their data, bank accounts and money.
“The issue here reinforces that people will blindly click on links if they believe it has come from a trusted resource. People are trusting, and criminals take advantage of this by preying on their emotions and having massive success, mainly due to people not querying messages. It’s important that they stop and think before clicking.
“To overcome this, companies must help employees raise awareness of this ever-increasing threat so they can measure how susceptible their staff are to falling victim to these attacks. This then enables them to pinpoint who needs security awareness training and as a result, employees can become a highly effective network of human sensors who will protect themselves both in and out of the workplace.”