Smishing is a form of Phishing in which an attacker uses SMS/MMS (text messaging) to trick recipients into clicking a link that might redirect the recipient to an information-harvesting website, or some other nefarious destination.
Unless it's EXTREMELY obvious, such as receiving a text message that says "click here for a free 1 billion dollars!" and it's an odd link you've never noticed, then most people are generally more trusting of text messages. This creates a semblance of trust between a possible attacker & yourself. Especially if they have prior knowledge of you, such as your social group & or workplace, which they could use to social engineer information out of you by pretending to be someone you know.
How Smishing Works:
Most smishing attacks work just like email phishing. The attacker sends a message that entices the recipient to click a link or asks for a reply that might contain targeted data.
The information an attacker might want can include, but is not limited to:
- Online credentials
- Private information that could be used to gain access to accounts
- Such as your Favorite color, food, sport, the name of your first dog, your birthplace, ETC.
- Financial data & or payment.
Smishers use a variety of ways to trick you, into thinking you're REQUIRED to send over the requested information, or something bad might happen - or even downloading malware to harvest your data without you even knowing.
Example of a Smishing attack:
Most (not all) attackers use automation to send several users a text message, using an email address to avoid being tracked. The phone number attached to the text message usually points to a VOIP service such as Google Voice, where you can't look up the number's location.
The above example is a great one. This is telling you that the IRS is filing a lawsuit against you unless you call this number & get it resolved. There are ALWAYS giveaways. First thing, the IRS will never send you a text message advising you of a lawsuit. Secondly, you will commonly see grammatical errors as pictured above.
A more common smishing attack will attach a brand name to a commonly used service, such as the USPS, Fedex, or Amazon telling you that your package's tracking number has been created - with a fake link to the tracking page - such as this one.
A few warning signs in this one:
1. The URL does not lead to a "fedex.com" website.
2. Most carriers utilize "MMS" codes, which would not be a full 10-digit number, but rather a 6-digit code where you would normally find the number (at the top of the message).
3. If you're unsure, check your application where you purchased the item to receive the most accurate (and secure) info on your packages or contact the manufacturer/carrier directly.
How to protect from Smishing:
Our personal favorite here at Smart Sourced IT is to have a zero-trust policy. Do not trust messages from unsaved numbers, do not click links you are not 100% sure of & do not call numbers coming from unsolicited text messages.
Do not send credit card info, personal info, or even your favorite color & first pet's name to random people. This might seem harmless, but this information can be used to recover access to other accounts.
File a complaint with the FCC here and reach out to your cell service provider to report the spam/smishing attempt.