SMSishing or SMS Phishing, is it real? How to stay protected?

Originally posted on Medium

In today’s world, almost everyone is seen using a mobile phone, be it a smartphone or an ordinary phone for just calling and texting. Though the awareness of phishing attacks have increased during the past years, thanks to our banks and other organizations always sending us “those warning messages!” Folks are still not aware of a type of Phishing Attack called SMSishing Attack.

Yes, it’s real!! And I am not joking. SMSishing or SMS Phishing is a type of phishing attack where the fraudulent party uses a text message with links or any social engineering techniques to ask you for your personal information to take advantage of.

“SMSishing is the act of using mobile phone text messages (SMS) to lure victims into immediate action such as downloading mobile malware, visiting a malicious website, texting back with info or calling a fraudulent phone number.”

SMSishing attacks are increasing day by day and seem to have become a real concern. The reason might be as simple as people trusting on what they read more or being too lazy or careless to check it properly. As per one of the articles on “social-engineer.org”, the reasons for the rise in this threat vector can be attributed to several factors, such as:

1) First and the most obvious is the widespread use of smartphones.

2) Second, there has been a dramatic increase in the reliance on mobile applications to pay bills and conduct business transactions.

3) Lastly, the adaptation of online two-factor authentication has created an authentic layer of trust for messages delivered to smartphones, making it difficult for the average user to decipher a real “enter this verification code before it expires” from an “act now” message.

Enough of this gibberish talk lets dive into some of the examples of SMSiphing, an attacker might use :

EXAMPLES

Sending messages designed to trick the recipients into clicking on a deceptive link was once reserved for fake but real-looking scam emails trying to fool users into visiting malicious sites on their PC, but scammers have realized there are (on average) far fewer protections on smartphones and no small number of potential victims.

• Due to the fact that more and more people are using their smartphones for online banking or bill payments, the attacker might use something that might seem very authentic and realistic like the one shown in the images below.

Followed by the fake bank URL asking for information

A message asking you to login or reactivate your account.

Check for payment related issues.

IRS Notice: Tax Return File Overdue!

Others

Example images source: https://numbercop.tumblr.com/post/120439546107/weekly-summary-518-531

How to protect ourselves from SMSishing attacks?

Keep the following in mind to be safe and protected. Like the saying goes “Prevention is better than the Cure!”, there are certain giveaways to look out for, which could help us recognize and check the authenticity of the message.

• Always check for the source of the message, is it the number you know? Or the email address is correct or not? Check for the Organizations spelling mistakes, etc.
• Beware of those social engineering attacks, asking you to pay immediately, or the account has expired, or any sudden scare tactics the attacker might use on you to click on the link in the message and follow the using phishing attack with the fake site and information gathering.
• Never panic and always check for the contact numbers, does the message start with vague information, a generic company name like “card services,” an urgent request, and/or an offer that seems impossibly good? Then it’s definitely suspicious, delete it!
• If you receive a text message claiming to be an alert from your bank or credit card company, call the organization directly, using its listed number you obtain from another source (bank site), to find out if the message is legitimate.
• Be cautious about sharing your phone number, and only share it when necessary with well-known organizations. Do not post your cell number on social media.
• Delete any possible smsishing messages without clicking on any links or without replying to the message. Replying to ask the sender to no longer text you will likely lead to more scam messages.

CONCLUSION

Remember Phone calls and texts are as easy to spoof as email. If it sounds too good to be true, or if it’s really scary, it’s probably a scam. Also, Phishing is a social engineering scam and it’s not just for email! You can get phished by phone or text message too. Being aware of it is the best way to stay protected!