2023, July 27

Security

10 min read

Matt S.

Smishing Explained: Understanding SMS Phishing

Smishing is a fraudulent activity made from SMS and refers to an attack where individuals are tricked into providing sensitive information via text messages.

It’s slightly funny to think about the fact that there are probably tens or even hundreds of ways that hackers, scammers, and cybercriminals try to fool us. Some are more sophisticated than others and target top-tier businesses. Some target regular Joes and Janes to get financial benefits or steal personal information. One of the hacking methods that fit into the latter category is called Smishing or SMS Phishing.

In this guide, we’ll explain what it is, how it works, why you might be at risk, where do these scams originate from and so much more. Hopefully, after reading our guide you’ll be able to identify such an attack and better protect yourself and your possessions. So, let’s begin!

Smishing (SMS Phishing) – 101 Overview

First, let’s look at the basics. These involve the definition, the anatomy or how it works, and other, must-know things about it.

What is Smishing?

To answer ‘What is Smishing?’ we should first explain what is phishing. The word phishing describes a cyber scam tactic. It sounds similar to fishing because the hacker puts out the bait and waits for the fish (e.g. victim) to bite.

Here‘s a basic illustration showing how it works.

Usually, quality phishing requires good social engineering skills and decent know-how in programming or access to great malware. Phishers try to impersonate legitimate organizations or serious individuals and send out harmful programs, scam links and want unsuspecting users to take an action which would then:

Infect your device with malware
Steal your personal info or money
Do all of the above

As you can see, not a lot of people know about it. Also, you can’t say that smishing isn’t a serious thing, too. Each year it causes millions of dollars of damages for corporations and people as well.

So, Smishing, or its meaning

is just phishing that’s being done via SMS.

How does it work? Anatomy of SMS Phishing Attacks

The anatomy or the whole process of a Smishing attack has two points of view. One is the hacker’s and the other is the victim’s. For the attack to be effective and reach its goals, it has to be compelling, well-placed, and well-executed.

Look at the example below.

One popular method of SMS Phishing was being executed all over the U.S. and especially the EU. People were sent login links to pay fines for breaching coronavirus restrictions. In reality, there were no breaches or fines, but people still fell for it.

But let’s look at what makes this attack stand out and what separates a well-executed SMS phishing action from a fruitless attempt. A successful smishing attack typically involves several key components:

Sender Spoofing

. Cybercriminals use devices, apps, and clever mobile network engineering to manipulate the sender information displayed on the recipient's phone. An attacker would like to impersonate someone reputable, e.g. banks, phone operators, healthcare institutions, tax inspectors, etc.

Compelling Message Content

. The content of smishing messages is carefully crafted to grab the recipient's attention and create a sense of urgency or curiosity. This needs to be believable. Information about a prize or lottery out of the blue doesn’t cut it anymore. Hackers need to think about something clever, so they mention vague issues to spark curiosity: problems with your bank account, suspensions of accounts and services, etc. Look at the image below.

Malicious Links

. Smishing messages need to contain shortened URLs or direct links that lead to fraudulent websites designed to collect sensitive information, install malware, or carry out other malicious activities. Otherwise, the attack won’t work. All cybersecurity experts advise against opening links from malicious messages and being very vigilant when it comes to urgent texts. There’s a great read on Lookout.com if you want to further understand the risks of opening such a link.

Social Engineering Techniques

. Cybercriminals leverage psychological tactics to persuade recipients to act without questioning the authenticity of the message. This could include using fear of financial loss, claims of rewards or prizes, or even emotional appeals. This part is linked to the compelling message content that we mentioned earlier.

Data Harvesting

. Once victims fall for the smishing attack and enter their personal information on a fake website, or once the malware is installed, that data is collected by the attacker and potentially used for fraudulent purposes.

Who is Most at Risk of getting targeted by Smishing Attacks?

The UK’s Office for National Statistics concluded a wholesome research about the threat of phishing attacks. They concluded that in the United Kingdom, people aged 25 to 44 are the most at risk. One particular scam that’s on the rise, is related to delivery companies.

This chart from Kaspersky shows the distribution of what phishers are trying to impersonate. Delivery companies, online stores, payment systems, and banks are at the top of the list.

Another study by Infosec Institute surveyed 300 corporate respondents to get their experiences from within. They found that C-level executives are targeted most often. Around 27 % of CEOs were targeted by at least one

smishing

or phishing attack with CFOs being the second most-targeted position with a frequency of 17 %.

Furthermore, if you work in particular industries, you can expect to be a more sought-after target for phishing attacks trying to gain access to your system from within or install ransomware. Thus, if you work in one of these niches, you have to be aware of potential risks. For people who work in financial institutions, SaaS companies, and social media service providers, the risk seems to be the highest.

The chart by Statista shows which online industries did phishing attacks most-target in the Q3 of 2022.

Where do most smishing attacks come from?

It’s also useful to know where these attacks are usually coming from. If you are from these countries, spend time there, or have contacts in them, it’s more likely that you’re exposed to risks. With email phishing, country borders don’t affect the scope as much, but for SMS phishing, the locale is super-important because of the much more relevant social engineering aspect. Thus, the hacker could benefit from knowing and/or understanding certain events and trending topics in your country.

Look at the map below to see where most phishing senders are from.

The map from Barracuda shows that the two countries with the most phishing senders (per capita) originate from Nigeria, Uzbekistan, the Baltic States, Ukraine, Iran, Yemen, Colombia, and a few more. The region where it’s most widespread seems to be the modern-day CIS and the region where the former USSR used to exist. The same investigation where the map was published, showed that a significant number of these attacks originate from legitimate cloud providers. They speculate that hackers can compromise legitimate servers or email hosting and infiltrate the systems.

Which countries do SMS phishing attacks most target?

Knowing where these attacks originate from is one thing. Knowing when you’re most likely to become a target is another. We can look at the data that Kaspersky – one of the largest antivirus software developers, compiled for 2021. The map below illustrates phishing attack occurrences (smishing included) around the globe. The redder the country is on the map, the more likely it becomes that a user is going to be targeted by phishing scams.

This map indicates the likeliness of a user pressing a link that the phisher sent. The ranking is as follows:

The likeliness of a user following a phishing link via SMS, email, etc. *This list shows the share of users encountering phishing out of the total number of Kaspersky users in that country/territory,

Brazil – 12.39 %
France – 12.21 %
Portugal – 11.40 %
Mongolia – 10.98 %
French Reunion – 10.97 %
Brunei – 10.89 %
Madagascar – 10.87 %
Andorra – 10.79 %
Australia – 10.74 %
Ecuador – 10.73 %

If you’re in one of these countries, be extra careful when pressing on any links. Cybersecurity experts recommend solving any account and/or bank-related issues directly with the company (e.g. via phone call or at their office). That is a bit more time-consuming but it eliminates unnecessary risks.

Best-known smishing attacks in history (Smishing examples)

Over the past decade, with the rapid rise in smartphone use, people are starting to know about

what is smishing

, where it can strike, and how it can affect you. However, since the scams are becoming more sophisticated and people are still only recognizing the threats as being real and widespread, you still have situations where not tens, not hundreds but thousands of people fall victim to Smishing scams. Let’s look at some examples from history.

Twilio leak

In August of 2022, Twilio, a leading cloud communications and API solution provider that supports over 150 thousand businesses worldwide, confirmed that they sustained a huge data breach.

The compromised data included PII – names, phone numbers, email addresses, and sometimes even financial details. SMS phishers utilized social engineering and used fraudulent messages to deceive Twilio employees and to gain access to their database. It was a very well-organized attack that caused massive damage and couldn’t be traced back to the malicious actors, but was shut down eventually.

Fake fraud investigator in Ohio

For one female Ohio resident, a day began normally but she received a message that caused almost instant panic. Here’s what it said.

“Chase, Did you attempt a wire transfer amount of $7500? Reply Y if recognized, Or NO to stop fraud.”

One thing led to another and a man who impersonated a Chase Bank fraud investigator ended up stealing 15,000 USD from her bank accounts. She’s not alone in this as Americans reportedly lose more than 326 million USD annually to smishing scams alone. Another source (CBS News) says that the median loss for an American is around 1000 USD. Yikes!

NHS scams

In the UK, especially during and after the pandemic, SMS scams are on the rise. It’s gotten so bad that the NHS published separate documents helping people avoid these attacks. The image below illustrates the most common attacks that Britons and Northern Ireland’s citizens have to face.

Guide to identifying a SMS Phishing attack

So, as you know

Smishing’s definition

and the

meaning

of the word, as well as some examples of real-world attacks, it’s time to give some tips on identifying this attack. While hackers are always finding new ways to exploit systems for their gain, some things can give away that it’s not legitimate and a scam. To the very least, if you’re at least .00001 % suspicious, spend a bit more time contacting the official source directly for confirmation. Better safe than sorry and 1000 USD less rich, right?

A list of 6 signs that the SMS might be a Smishing attack:

It’s from your financial service provider (always be on the alert)
It urges you to reply or take action
It contains a link (most service providers only urge you to separately log in via app or website but don’t send any direct links)
It has grammatical errors and/or strange requests
You’re already a frequent customer but the message sender’s info seems different and/or it pops up as a new conversation
It’s vague and out of the blue

How to securely send messages and avoid Smishing?

If you want to protect yourself from the risks of smishing, we recommend switching away from regular SMS to E2E encrypted messenger services like Skyda. You will only be getting messages from contacts you know, accept and trust. Files are sent P2P, and no one can intercept the contents of your communications.

By clicking on files and links from sources you trust you can much better protect your device and your personal data from smishing.

Conclusions

So, hopefully, this article helped you familiarize yourself with the concept, risks, and anatomy of SMS phishing attacks. By knowing the history, origins, real examples, and geographical data you can ignore scams and be much more aware of the risks involved. If you’re eager to know more about digital privacy, cybersecurity, and related topics, check out some of our other blogs!