SMS Phishing: How to Avoid SMiShing Attacks

When people think of phishing attacks, a few stock images come to mind: the malicious email, a screen-sized lock icon, and, of course, the long headache that follows. But like all exploits, phishing attacks continue to evolve in complexity and subtlety. Recent trends show a marked increase in "smishing" – SMS phishing – attacks, where hackers leverage text and SMS messages to gain sensitive user information.

Here's What Your Business Needs to Know About Preventing SMS Phishing Attacks:

Targeted Mobile Malware

Smishing has gained traction for a number of reasons. Unlike your inbox, incoming text messages on mobile devices are not subjected to traditional spam filters and authentication systems. Without this initial line of defense, malicious text messages can easily slip into your mobile phone. This effect is compounded by the fact that text messages often reflect a mix of business and personal correspondence. The familiar, often varied, threads in one's inbox can obscure otherwise suspicious information. 

In 2020, smishing attacks increased 328%. Legitimate authorities used SMS messages to communicate about Covid-19 related contact tracing, vaccine options, lockdowns, etc. This prompted a wave of cybercriminals to replicate pandemic-related content and extort victims. A recent report found that 44% of Americans had seen "an increase in scam calls and text messages" since the start of 2020. Smishing is now the most common mobile-based phishing, followed by social media, email, and gaming-based attacks.

How to Prevent SMiShing Attacks

Given the volume of texts that mobile users receive per day, hackers exploit their target's dropped defenses to steal information. These attacks can take many forms, often disguised as urgent alerts that require an immediate response. Examples include personal information such as passwords, security updates, locked credit and debit cards, and compromised bank account information. All of these have appeared in past SMS phishing attacks, their success hinging upon knee-jerk reactions. And in many cases, when users click a link on malicious SMS attachments, they are redirected to images, rather than websites. Unlike websites, which have a certain degree of built-in defense, images are more difficult for monitoring systems to parse, leaving users vulnerable. Before clicking any SMS-based link, do the following:

1. Check Sender

   • Always check your message's sender – do you recognize the contact? 

2. No Personal Info Over Text

   • Remember that legitimate companies will not ask for personal information over a text message.

3. Don't Click Links

   • Never click on hyperlinks that may appear in the message or offer up sensitive information. 

4. Make Sure Web Filters Are On

   • If you are directed to a website, ensure that web filters are alerting you to potentially malicious content.

5. Remember Other Messaging Apps

   • Understand that smishing is not limited to texting – WhatsApp, Facebook, and Skype messengers are all potentially vulnerable. 

If you're looking to upgrade your email, mobile, or network security, our experts can help. Reach out for a free consultation today. 

Editor's Note: This blog was originally published in 2017. It has been updated for accuracy.