What is SMS Phishing/Smishing?
SMS phishing – also called smishing – is, as the name suggests, a variation of classic phishing that relies on SMS messages instead of the classic email.
The reasons for the use and increasing popularity of smishing attacks are different.
On the one hand, there is a psychological factor based on a general trust regarding SMS messages. The majority of people are now well aware of the dangers of spam and phishing emails and also look critically at unknown emails more often.
Our cell phones and smartphones, on the other hand, are private devices that we generally trust more. So ignorance of such dangers plays an enormous role here.
For these and other reasons, such as the general flood of spam mails, only about 20% of all e-mails are read and only 3% are replied to. With SMS messages, however, the situation is quite different: A full 98% of all messages are read and 45% are replied to.
The chances of criminals getting their scam messages noticed are therefore significantly higher than with classic phishing. In addition to the psychological factor, the technical side is also a clear success factor. Smartphones are often much less well protected than computers at work, for example, and are therefore more susceptible to dangerous malware.
Smishing dangers and targets
Just like classic phishing, smishing also has clear goals for the perpetrators. These coincide with those of classic phishing and can generally be divided into three major areas:
Smishing data theft
Smishing attacks often have the goal of capturing login data for online accounts. Particularly popular with criminal hackers are classically online banking login information. They even benefit from messages from the “real” banks, which often send warnings in the form of an SMS notification when there is unusual account activity.
This form of smishing is so popular that it has even been given its own name – “bank smishing.” The possibilities of modern technology are often underestimated here as well: for example, it is possible to disguise or forge the sender of an SMS. Messages are sent from a computer and then automatically assigned to a legitimate sender number on the victim’s smartphone. So the rule is to never share your account information. They are private and no one’s business. There are no reasons why a legitimate company would ask for credentials from your customers.
Spreading malware through smishing
Getting the victim to download an infected file is the classic goal of phishing, but it is also not unknown in smishing, although it is used less frequently. An incident in the Czech Republic showed that this method can still be promising. Thousands of people were tricked by SMS into installing an app – supposedly from the Czech postal service. This was a Trojan that compromised credit card information as well as other app accesses.
Overall, the spread of malware in smishing attacks is less frequent because smartphone developers have reacted in the meantime and are making it increasingly difficult to install unsigned or unverified apps. However, the danger still remains, especially with Android devices there is the possibility of “app sideloading”, where apps can be loaded from unknown sources if this is not deactivated in the device settings (this feature is deactivated by default).
Smishing financial fraud
Smishing is not an art that can only be performed by technically skilled people. Smishing also involves tricksters who make rather clumsy attempts to get their victims’ money. This still poses a danger, especially when less tech-savvy people are involved. Because here, too, the aforementioned concealment of the phone number is often used, something that often sounds inconceivable to a normal citizen.
How does smishing work?
With the development and spread of so-called VoIP telephony and caller IDs, fraudsters and cybercriminals have also come across new techniques for reaching victims via a spoofed phone number. Call ID spoofing” involves replacing the actual phone number, the so-called “Network Provided Number” of the caller with a false phone number. There are countless dubious providers who offer their customers the opportunity to change the Network Provided Number themselves. However, this should not be confused with “CLIP No screening”, an actual service feature where the outgoing number, the so-called “User Provided Number”, can be freely chosen, but only on the condition that one owns the rights to the number.
Faking and masking SMS senders is thus not a major technical hurdle either. Here, too, there are free providers on the market that let you choose not only the sender number, but even a name. SMS notifications with names like “Dad” or “Mom” or even “Police” are not uncommon. Among other things, this is possible because the field that shows us the transmitted number is completely separate from the actual registered number.
How can I protect myself from smishing?
Many dangers that lurk on the Internet require active protection. For example, the danger from Trojans and viruses is reduced with the active protection of a virus scanner. In the case of smishing, on the other hand, active protection is not necessary to protect oneself. Often it is enough to do nothing. Phishing in general only becomes a danger if the victim falls for the scam. Therefore, not reacting to the attempt in the first place protects you. Nevertheless, there are some points that can be observed to increase awareness of the dangers of smishing:
- Avoidable offers and alerts, notifications about promotions and the like are often a simple scam of scammers to arouse the curiosity of its victims.
- No reputable company such as banks online retailers, social media sites or the like will ever ask for exact data of their customers via SMS or email.
- Only store absolutely necessary information on your smartphone. Never store credit card information, online banking logins or PIN numbers on your phone.
- Clarify important matters privately. If they get a message from “mom” that seems unusual, then clarify this in a phone call or better even in person.