Smishing is a form of cybercrime that uses social engineering similar to phishing, but via text messages. The name derives from "SMS phishing" and uses the same techniques to bait you into divulging your personal information. Consumer Affairs named smishing as a growing threat to mobile users.
Most smishing messages contain a sense of urgency, as is common with social engineering. Messages may ask for your 'immediate attention' for something (even a price) or ask you to confirm an order/purchase or may claim that your bank account / credit card has been suspended unless you take action. All of these messages will hook you into giving away some sort of personal information, usually financial information. In some cases, simply visiting a link will download viruses/malware onto your phone, which could disclose any information you have stored on it.
It can be hard to spot smishing attacks when directed to legitimate-looking websites or official sounding voice systems. However, just like with phishing attacks, know that financial institutions will never request this information via a text message.
How to Avoid a Smishing Attack
- Never click on links in an unsolicited text message
- Never respond to unsolicited text messages
- Don't take action on messages that require you to 'confirm' or 'do' anything
- If you receive an unusual link from someone you know, check with them to make sure they sent it
- Add your phone number to the Do Not Call Registry can help reduce some unwanted spam, but not likely protect you from scammers
- Do not display your mobile phone number in public (or on the Internet)
- Check with your mobile service provider about options to block future text messages from select senders
- File a complaint with the FTC if you receive messages from an unwanted / unsolicited source
- Don't reply with 'Stop' - the message is not from a mobile premium service. Replying will only confirm your details to scammers and put you on a ‘target list’.
- If you do click on a link by mistake, exit immediately. Do not fill out forms or attempt to contact anyone.
- Consider an antivirus / antimalware software solution for your smartphone
- If you receive a generic text message from an unknown source that sounds like it's from a friend - it may not be. This could be an initial 'hook'.
- Look up the phone number online to see if it is legitimate. It's best to also look up the bank or institution (if applicable) to verify the number on their site, since a scammer could put up a real-looking website with that number listed.
For more on avoiding social engineering attacks in any medium, read our post on avoiding contest scams. To learn more about Endpoint Visibility and Control, visit us at Absolute.com