SMS

The Rise of Smishing

SMS-based Phishing Scams are Gaining Traction 

Over the past few years, SMS (or text messaging) phishing scams, known as ‘smishing’ have also proved to be an effective strategy for hackers. Using texts as an attack vector may seem rudimentary but, according to the FCC, it’s proving to be disconcertingly effective among the general population. 

What’s happened? 

Since early 2020, fueled by the pressure and confusion from the pandemic, two major changes have happened in the digital landscape. One, more people are working from home than ever before—according to Statista, upwards of 30% of workers are fully remote—and two, ransomware attacks are on the rise. 

The connection between these two points is clear: companies had to move online rapidly, without being prepared for a secure transition. Cybercriminals saw this disruption as a huge opportunity, and they’ve taken advantage of the confusion. 

Cyberattackers use both phishing and smishing to target individuals every day. Both vectors of scam usually rely on social engineering to get users to click on fraudulent links, or to respond to the sender with information. The goal is often financial, but cybercriminals also seek to obtain personal data too.  

Victims are Being Manipulated 

In attacks driven by social engineering, attackers aim to exploit users’ decision-making capabilities, especially by proposing something urgent, dangerous, or personal. Here are three examples of how attackers position themselves in a smishing attack: 

  1. Trust: By posing as a legitimate organization or person, attackers can lower their target’s skepticism. Text messages are often perceived as a more trustworthy method of communication because giving someone your phone number can feel intimate. However, the assumption that someone has your phone number for a specific reason doesn’t hold up
  2. Emotion: Attackers exploit users by driving panic. If you receive a text message informing you that you have 24 hours to make a car payment, or ten minutes to submit your social security number to the IRS, the first responses are emotional. People are immediately worried about breaking the law or being held culpable for unpaid bills. These emotional responses often override our critical thinking, meaning users are more likely to take actions they normally wouldn’t.
  3. Context: Unfortunately, plenty of personal information is likely available on the web and the dark web, from your email and phone number to where you work, and where you went to school (consider just how much information there is on LinkedIn). Cyberattacks can easily gather a few pieces of information and use it as content in an SMS message to you, effectively building a disguise. When a message feels personalized it overrides suspicion—it’s easy for users to assume that their boss or coworker has their number and needs some help. 

Smartphones are ubiquitous and most users are emotionally attached to their devices. These tactics mean that there are many vulnerable smishing targets. 

Fortunately, there are a few things we can collectively take action on, immediately. 

  1. Promote Awareness. There are millions of people falling victim to smishing attacks who, if they’d been aware that texts are a common vector for attacks, might have been less vulnerable. Be suspicious and spread the word. 
  2. Pause. If you receive an SMS that is from someone you don’t know, asking you to take immediate action or provide financial or personal information, just pause. Emotional responses last for about 90 seconds, after which you’ll be able to approach the message more critically, and you’ll be less vulnerable to smishing. 
  3. Enable Multi-factor Authentication (MFA). While it’s not a silver bullet, ensuring that you have MFA on (when possible), can help strengthen your cyber defenses. We need strong layers to keep criminals from accessing accounts. 
  4. Stop Reusing Passwords. Tangentially related to smishing attacks, ensuring that you have different passwords for your accounts can be a hugely beneficial change for your online presence.