What is Smishing? A Guide to SMS Phishing Attacks

Learn to understand, detect and prevent Smishing Attacks.

Get Protected Now

Credential stuffing attacks can put personal and business data at a serious risk. Here, we’ll take a closer look at credential stuffing attacks, how to detect them, how to protect against them and why they’re such a threat to both businesses and individuals.

SMS phishing attacks or “smishing” are becoming more and more common, partly encouraged by the COVID-19 pandemic and the rise of COVID-related scams. In this simple guide, we’ll show you what smishing is, how to detect it and how to avoid being the victim of a smishing attack.

The more you understand about smishing attacks, what they’re capable of and what the potential risks are, the easier it will be to identify and prevent damage from one.

What is Smishing?

Smishing (aka SMS Phishing) is when an attacker sends a fake message to your SMS number, often containing an offer for a free product or an urgent alert regarding banking or other sensitive information.

Smishing is particularly dangerous for those that don’t have an understanding of basic cybersecurity, because the SMS messages are worded in a way that they’re believable. Some smishing messages even include vaguely personal information to sell the narrative.

Get Protected Now

What is Smishing?
How Do Smishing Attacks Work?

How Do Smishing Attacks Work?

Smishing attacks are considered “social engineering” attacks, because they prey on regular people via psychological manipulation. In most cases, the smishing message is designed to create a sense of urgency. Messages can include trigger phrases or words like “act now” and “your account is at risk if you don’t click here” or “there will be legal action taken against you if you don’t follow up.” These messages can inspire fear and eventually action.

Cybercriminals get phone numbers via data breaches on the web. When you sign up for a web account on a retail site, for instance, you’re often giving out your email, phone number and other personal information. When cybercriminals break into retail web records, those records are often distributed or sold on the dark web for profit. Thus, your personal information is distributed abroad.

You also may have entered your phone number via a phishing email or on some other illegitimate site and the company behind the site was actually a cybercriminal.

Cybercriminals often extort victims of smishing attacks for more personal information or even money, in some cases. IRS scams are common and victims often wire thousands of dollars to cybercriminals under the belief that the IRS will prosecute them if they don’t.

Smishing vs. Vishing

Smishing and vishing are both similar in that they require the use of a telephone to function, but vishing uses voice services instead of SMS messages. Vishing can sometimes be more effective because you’re actually talking to a person on the other end of the phone. The tone of a conversation can potentially drastically affect the outcome. If you think you’re going to be persecuted if you don’t respond, you’re more likely to give up the information your attacker is looking for.

Smishing vs. Vishing

How to Detect Smishing Attacks

Smishing attacks are common and there are some signs to look out for.

  • “Congrats! You’ve won!” This is a common smishing message that makes the victim believe they’ve won a monetary prize. The link or phone number attached will usually ask for personal information first. If you didn’t participate in a contest, you likely didn’t win anything.
  • Text sent at an unusual time. Most businesses operate somewhere between 8 am and 6 pm, so if you’re receiving messages from a “legitimate” organization late at night or very early in the morning, take notice.
  • Urgent banking message. Chances are, your bank will personally call you with any urgent requests or errors. In this case, the bank will normally verify your information over the phone as well. If you receive an urgent banking message via SMS, call your bank to verify it first.
  • Spelling and grammatical errors. Legitimate organizations hire editors and experienced writers. Check your SMS for spelling or grammatical errors to identify a scam.
  • Use a VPN. VPNs are legitimate services that allow you to mask your IP address and keep unfriendly eyes from seeing your true location and web activity, even on your phone. This can help you identify smishing messages, particularly if you receive one that references an incorrect location which is being spoofed by your VPN. However, some cybercriminals have even taken advantage of the demand for VPNs and send “free” or “discount” offers for VPN services via SMS.

How to Prevent Being a Victim of Smishing

  • Use a password manager like Keeper to store and manage passwords for all of your accounts safely. Always enable 2FA or MFA protection to prevent unauthorized access.
  • Never call the phone number associated with a potentially spoofed message. If it’s from your “bank” call your saved bank number to verify.
  • Call the company directly from their official website if you have questions. Be wary of scam signs on the website.
  • Don’t click unsolicited text links. If you’re not expecting a message, never click a strange link.
  • Report smishing attempts via efraudprevention.net, the IRS or your bank.
Examples of Smishing in the News

Examples of Smishing in the News

Coronavirus Scams

The Coronavirus pandemic not only brought the physical world to halt, but it also created the perfect catalyst for an increase in cybercrime. With so many remote desktops at work and most companies troubleshooting as they went, the doors were opened for cybercriminals to take advantage of companies that were new to remote work.

But the cyberthreats of COVID-19 went beyond simple hacking. Phishing/smishing attacks increased as well, in the form of Coronavirus scams. These scams included emails or texts offering free masks with a link to claim them. The messages were crafted to look like legitimate communication from well-known charities like the Red Cross.

Other scams portrayed the sender as a government body or other authoritative figure and included a bait link. These social engineering attacks were far more effective than you might think, preying on the fear and misinformation that ran rampant during the crisis.

Keeper Protects You and Your Family Against the Most Pervasive Cyberthreats.

Get Protected Now

close
English (US) Call Us
Try it Free