SMS Phishing, or Smishing as it is sometimes known, is an attempt to acquire personal information such as passwords by sending a text message to an individual’s mobile as bait to encourage them to share their personal details, install malware or even tracking and monitoring software.

The advent and adoption of the smartphone has led to widespread access to the internet and therefore fraudsters have also started focusing on SMS containing deceptive and malicious links as a method of deception.

These SMS have the potential to reap as much devastation as the more widely known phishing email, especially as the open and read rates of SMS are so high and upon an initial glance the message can appear to be from a genuine company or institution.

How Does SMS Phishing Work?

Smishing consists of the unsuspecting individual responding to a fake SMS or visiting a URL that has been created with the sole intention of starting the process of encouraging the user to input sensitive data or information. The most common reasons for this are related to users’ financial accounts and the sender of the SMS then being able to access and withdraw funds.

However, criminals can also commit identity theft related crime, including applying for loans or additional credit cards in your name, causing severe financial implications which can last for an extended period of time.

SMS Phishing Examples & How To Spot Them

If you are looking for an example of an SMS Phishing, take a look at our example below!

Despite senders getting more proficient at sending phishing SMS, fortunately there are ways in which recipients can recognise and understand that the SMS is not genuine. Below you will find some advice and recommendations for spotting these rogue SMS and ensuring that you do not fall victim.

Unknown Sender

Most of the SMS that you receive will be from your own personal contacts and you will show the name of the sender. However, if you do not recognise the number and the SMS contains a link to a URL or to an unknown number, it is probably better to delete the SMS from your records. This is especially the case if the number from which the message was sent does not look like a normal number.

Requests for Personal Information

Organisations or institutions do not ask recipients to share personal information over email or SMS. If they require this information it tends to only be done over secure applications or platforms, which often have two-factor authentification, using via A2P SMS or FIDO.  An increasing number of companies clearly state this on their websites and in personal and marketing communications that they send out. However, there still tends to be a lack of awareness, especially amongst those who are not as techy-savvy.

Hacked or Suspended Accounts

A common method that SMS phishers adopt is to pretend to be from a large, well-known company and pretend that your account has been hacked or suspended and asking you to follow a link to reactivate your account.

These attempts at Phishing can appear very convincing and look like a genuine message but as highlighted above, this is not a practise that is used by reputable organisation, so exercise caution – if you have any doubts, you are advised to call the official phone number of the relevant organisation.

Poorly Written Content

A clear indication that a message is not genuine is when the quality of the written content is poor, such as the spelling or grammar. Phishing attempts often consist of poorly constructed and badly phrased content. However, it is important to note that this is not always the case and that sometimes the phishing attempts can appear highly convincing.

How to Protect Yourself from SMS Phishing

  • Make sure that you read SMS from unknown senders very carefully, especially if there is a link included and the SMS suggests that you need to enter personal information to protect your account or prevent it from being deactivated.
  • Don’t reply to the SMS with “STOP” to prevent future texts from being sent, while it may seem to prudent to do so, fraudsters include this to determine whether your number is active. If you respond, then you are likely to receive more messages from this fraudster and others in the future. The best course of action would be to simply delete the SMS and forget about it.
  • Under no circumstances should you input personal information, this includes your name, address, bank account numbers, passwords etc. No financial institution or other types of sender would ask for your personal details in this way and companies advise this on their websites. If you have any doubts, visit the relevant company’s website and then contact them directly.
  • Avoid downloading applications via text message if possible, as Smishing messages often deploy this tactics as a way in which to get unsuspecting users to download a malicious application that will be used to steal your sensitive information.
  • This follows onto another point, avoid storing your financial details on your phone as doing so eliminates any risk of something occurring should you fall victim to anything malicious.


Articoli correlati