Smishing

Smishing, a combination of the words “SMS” and “Phishing”, is a type of cyber-attack that targets individuals through SMS or other forms of text messages. 

Smishing attacks are similar to email-based phishing attacks where scammers lure victims into sharing personal information by clicking malicious links, downloading harmful files and software, or via chat messages. They typically disguise themselves as trusted sources and use social engineering tactics to manipulate the victim into taking undesired actions.

Victims can be randomly or specifically selected based on data obtained via paid sources. This can include a victim’s address, full name, relative’s information, and even recent purchases. By analyzing the data, they can create a personalized message that invokes emotion (fear, curiosity, urgency, etc.) that urges readers to take action. This could result in victim's clicking the link, replying with personal information, or downloading suspicious files.

Although most people are aware of the risks of clicking suspicious links on e-mail, fewer of them realize the same applies for text messages. 

Links like these usually mimic official websites from banks, businesses, other familiar institutions and  prompts the victim to share information like passwords and other personal information that can be used to commit identity theft, unauthorized transactions, or data selling tactics.

Basic IOS and Android features, as well as several telecommunication companies, try to prevent spam messages from reaching your phone, or at least label them as “potential spams.” But it’s important to notice that those systems are not perfect. You should always vet your text messages just as you would a suspicious email.

Some common types of smishing attacks include:

• Account Verification Scams: The victim receives a text message claiming to be from a reputable company or service provider, such as a bank or a shipping carrier. The message typically warns users about a supposed unauthorized activity and asks them to verify their account details with a link. By clicking the link, users land on a fake page, in which the credentials they type are stolen by the criminals.
• Prize or Lottery Scams: The attacker informs the victim they’ve won a prize, lottery, or sweepstakes, but to claim their prize, they must provide personal information, pay a fee, or click a malicious link.
• Tech support scams: Users receive a warning asking them to contact a tech support number about a problem with their devices. Calling this number can result in charges, or the “technician” might request remote access to your device, which can lead to data theft.
• Bank fraud alerts: These messages appear to come from the victim’s bank, warning about unauthorized transactions or suspicious activities. The user is prompted to click a link or call a fake support number to verify the transactions.
• Tax Scams: Around tax season, people might receive text messages claiming to be from tax agencies. They often promise tax refunds or threaten penalties for supposed unpaid amounts, urging the recipient to send financial details.
• Service cancellation: The attacker warns the victim of a subscription service (like streaming platforms or software subscriptions) that is about to expire due to payment issues. They’re urged to click a link to resolve the issue, which usually leads to a fake website.
• Malicious app downloads: Users receive a message promoting a useful or entertaining app. Clicking on the download link can lead to installing malicious and unwanted software on your device.

Red flags to look out for in smishing text messages include:

• Threats of prosecution if the user does not call a number or click a link
• Informal language being employed in serious matters
• Links that look different from the official bank/company/service address (If you’re unsure what the correct link is, a simple Google search can reveal that!)
• Promises of money or benefits that are too good to be true
• Messages from unexpected senders (example: a tracking message for a FedEx package you didn’t order)
• Vague wording that doesn’t fully explain the reason for contacting you
• Banks asking for card numbers, ATM pins, or banking information (Financial Institutions will NEVER ask you this information!)

Tips to prevent smishing attacks:

• Never click any links, call any number, or download any applications unless you’re absolutely sure they’re safe
• The same goes for sharing personal, banking, or account information
• Many smartphones and carriers provide SMS filtering options that automatically block or flag suspicious messages
• Activating Multifactor Authentication (MFA) on your accounts can protect your information even if you fall a victim of a smishing scams
• Avoid storing banking information on your mobile device, as it can be compromised after an attack
• If you’re unsure the sender is legitimate, try contacting the company/bank/service provider independently
• Keep your device and apps up to date with the newest security patches

We highly encourage you to remain vigilant and to maintain a healthy dose of skepticism. If you come across any suspicious messages, email them to abuse@umsystem.edu or contact your local IT security office.