SMS phishing, or smishing as it’s become known, has been hitting the headlines over the last few years and we are seeing various different techniques being used in an effort to obtain people’s valuable information. But what is smishing, how has it been done in the past and how do you ensure you don’t get caught out? Let’s take a look.
Firstly, what is smishing?
Like phishing, attackers look to replicate trusted persons or organisations in an attempt to gather personal information or get victims to click on a malicious link, however instead of using email these attacks are conducted via text message.
Email filters are becoming more sophisticated at spotting this kind of attack and scammers are seemingly moving to smishing as an alternative. The benefit of smishing, from an attacker’s point of view, is that there is no way to tell that a spoofed text is not genuine and text messages often create a sense of fear and urgency that emails don't.
Hackers can send these messages from publically available services and can make texts appear as though they come from any number. Your parents, your friends, your boss, it can be anyone. If the number is already in your contact book the message will even appear as part of your text conversation, making it even more convincing that it has come from that person.
But it doesn’t have to be a person, scammers can spoof text messages from organisations, saying that there has been suspicious activity on your account in an effort to get you to call a number and give away your personal details.
Examples of smishing
Texts from banks appear to be the current trend for this type of scammer and in 2017 three Santander customers lost a total of £36,300 after responding to a smishing attack. The problem was that they had freely given their details away and the bank refused to refund the money.
Whether the attack was targeted at specific bank customers or purely guesswork we’ll never know, all we do know is that your bank account details are a prized target and people need to be on the lookout for such messages.
But it’s not just banks, attackers have also used stores such as Argos, Asda, Tesco and M&S, offering people money off vouchers via whatsapp and also sending customers messages about potential refunds they may be entitled to. Free holidays, Apple IDs expiring, you name it, scammers will try any means possible to get your all important information.
Don’t become a victim
As we mentioned there is no way to tell if a text message is spoofed or not. So, how can you stop yourself from becoming a victim?
- Question everything
The majority of texts you receive will be from the people you know and will be legitimate. However, it’s good to question everything. Is the text unusual in terms of the language used? Is the spelling and grammar of a poor standard? Are you being contacted out of the blue? Is the text trying to get you to click on a link?
You need err on the side of caution.
- Don’t click or call, contact the real person or company to check
If a text seems suspicious you can always check with the person/organisation to verify the message was legitimate. To do this you can ring friends or family using their known number, you can message them via a different method to double check they meant to send you something or you could call the company involved from the official number on their website.
Attackers often play on fear and many messages will seem legitimate. If you are worried by a message then this is the way to ensure you’re not caught out.
If a message requests you to update a password and you‘re concerned, don’t do it via the link provided or by the number provided. Go to the legitimate website on a separate device and change your information there.
- Inform the authorities
If you have received a phishing message you should always report it to Action Fraud, the National Fraud and Cyber Crime Reporting Centre. If you have acted on a message and have had money taken, you need to report this as a crime immediately, again Action Fraud is your first point of call.
Improving your security with Secarma
At Secarma our aim is to improve your security mindset, whether that be through our blogs or through the testing we conduct for our clients. Everybody needs to be responsible for security, both on a personal level and an organisational level, ensuring the that necessary steps are taken to safeguard your all important information.
To find out more about Secarma and what we can offer your organisation please click the button below.