Recently, everyone has been talking about “smishing”: in the USA, Italy, and Brazil, the mass media have been publishing alarming news about new fraudulent campaigns. The German police even issued an official warning about one of them. If you look at the popularity of the smishing query in search, it becomes clear that this phenomenon has gained considerable momentum in the last year. So what is smashing, and what are its distinctive features? Smishing is a form of phishing in which an attacker uses a convincing text message to trick intended recipients into clicking on a link and sending the attacker personal information or downloading malware onto a smartphone. The attacker sends a message encouraging the user to click on a link or requests a response containing the target user’s personal information. Hence the term itself: smishing = SMS + phishing. According to some classifications, phishing in messengers also belongs to smashing, but we still consider it a separate phenomenon, so we will not consider it here.
The goal of criminals, as with any other phishing, is to lure the victim with important personal information, most often it is a password from an Internet bank or bank card data. To do this, fraudsters send SMS, usually about some fictitious problem: a stuck parcel, an unpaid bill or a blocked account. By and large, it all depends on what these particular fraudsters are more comfortable working with – malicious software or websites. The result for the victim in both cases is the same – loss of money, often quite tangible: people are robbed of thousands of dollars, euros or pounds. So why has SMS phishing become so popular recently, and how is it more dangerous than regular phishing?
First, everyone is more or less used to email phishing, more or less knows how to recognize it and how to protect against it. In this regard, SMS is a much more unexpected channel for fraud, so people are less likely to expect tricks from short messages.
Second (and this is an important addition to “first”): although SMS is more trusted, it is on average less secure than the same email. Any more or less decent postal service today must have a built-in spam filter, often even a very smart one. It is possible to bypass it, but for this fraudsters have to invent new and new tricks. Unfortunately, spam filters of mobile operators cannot boast of such flexibility and accuracy today.
Thirdly, SMS are more often read on the go and in the middle of business, which, in combination with the first point, increases the uncritical view and increases the probability of a successful attack. In the case of a text message, the recipient often does not think about who it is from and what is written in it – he simply clicks on the link.
And finally, fourthly, there are trivially fewer signs by which you can recognize fraud in SMS. In the post office, you can always look at the address of the sender, evaluate the design and layout of the letter, check the literacy and expressiveness of what is written – in general, look for standard red flags.
SMS does not have all this, even legitimate messages look very similar to each other, the text is as short as possible, and if the fraudsters have technical training, it is possible to very reliably spoof the sender, i.e. replace the sender’s real number.
There is no need to be paranoid to become a victim of vishing. At the same time, you should be careful. To help you stay vigilant, here are some specific steps you can take to prevent vishing:
Keep in mind – knowing how these thieves work can help you avoid getting scammed. Always remember that legitimate businesses do not make unsolicited requests for personal, confidential or financial information. Whoever does this on the phone is probably trying to scam you.
Don’t give in to pressure – if someone tries to get you to give them confidential information, hang up on them.
Do not answer phone calls from unknown numbers – it is tempting to answer calls from unknown numbers. You might even think, “What if it’s an emergency and someone needs me?” Be aware that anyone who calls you with a true emergency will leave a message.
Keep calm and don’t panic – as these criminals often play on your emotions, keep your cool and hang up. If you’re still scared, wait 10 minutes and then call your bank, credit card company, or whoever the caller said they were. Then check if there is a real problem.
Be skeptical at all times – even if your caller ID shows the name of a bank, charity or any other company or organisation, it could be a scam.