em360tech image

It’s time to talk about ‘smishing,’ the less well-known brother of phishing. Though many people can spot email phishing attacks, they are much more vulnerable to the threat of smishing.

A big part of this increased threat is the lack of education among the general public. So, what is smishing? And why do people need to be aware of it?

This article delves into the meaning of Smishing and how to defend against it by providing 10 facts everyone should know about this unknown cyber threat.

What is Smishing?

Smishing is a type of cyber attack where the criminal tries to get sensitive information by texting people. Scammers send messages that seem innocent, but they trick people into clicking bad links or downloading harmful content. 

According to research, 97 per cent of Americans own a cell phone. This means that the vast majority of people are at risk of being defrauded by smishing. Unlike many forms of fraudulent activity, this attack affects all demographics. 

Meaning of smishing examples
Examples of smashing where the scammer impersonates a delivery company. 

Of course, it isn’t just the general public affected by smishing. Many businesses also need education. Smaller companies, in particular, are often victims of cyberattacks. 

As such, raising awareness is of utmost importance. In this article, we’ll tell you ten key facts about this relatively unheard-of concept and the impact it can have. First of all, though, let’s look a little into its history.

The origins of smishing and its key characteristics

‘Smishing’ is a relatively recent addition to the cybersecurity lexicon. Yet, the concept goes back to the mid-2000s. As people started using cell phones and sharing numbers, cybercriminals began ‘smishing.’

Over time, smishing techniques have become more advanced, however, with hackers today using new technologies like generative AI to make attacks more convincing. 

The SMS messages received look genuine and innocent. They look like they could come from a real organization like Amazon, PayPal, delivery services, and more. Psychological manipulation is commonplace. These cybercriminals use social engineering to prey on people’s emotions. 

As useful concepts like preview dialling are introduced, cybercriminals soon latch on and use them for malicious intent. To make their smishing attempts more believable and successful, they learn about their potential victims.

How to defend against smishing

The threat of smishing is going nowhere. And phone users need to be proactive to remain one step ahead of hackers. The many ways that smishing tricks people make it hard to know what will happen next. 

One hopeful defence is the role of technology. By using the power of artificial intelligence, we can better detect and prevent smishing attacks. Organizations can use AI to make mobile apps and messaging platforms smarter and more secure. AI can also analyze and identify suspicious patterns and behaviours to keep users safe. 

Technology alone isn’t enough, however. Both organizations and individuals need to stay up to date on the latest scams. Awareness and education on smishing remain key to fighting this evolving and pervasive threat. 

10 Facts about Smishing

Without further ado, here are ten important facts you need to know about smishing if you want to defend yourself against this emerging threat. 

Smishing is a relatively unknown as a concept

With awareness being so limited, it’s no surprise that people don’t know how to differentiate between legitimate messages and smishing attempts. Although knowledge is growing year on year, it’s still a surprise that only 23% of baby boomers knew about it in 2020. Don’t blame age, though–only one-third of millennials knew about it. 

To recognize smishing attempts, individuals need to know about the red flags. These include:

  • Urgent requests - a sense of urgency makes people act without thinking things over. 
  • Generic greetings - they’ll address you as ‘dear customer’ rather than by your name. 
  • Poor use of language - if you see misspellings or grammatical errors, be wary.
  • Requests for personal information - legitimate organizations don’t ask for this via text message.
  • Unfamiliar links - links within text messages might not be genuine. 

Smishing can be costly 

Smishing has the potential to cause large financial losses should people fall victim. With the clever techniques used, victims are encouraged to divulge information like their social security numbers or their account credentials. They then use this data to gain unauthorized access to IT networks and systems, steal identities, and commit data breaches

Financial losses can also occur without individuals giving away information. These malicious messages can deliver malware to phones and, therefore, any network that connects to it. This can cause substantial losses for big companies as well as individuals. Besides financial losses, smishing can lead to stolen identities and data breaches. According to research, 90% of data breaches use social engineering components like those seen in smishing attacks. In the next two years, the global cyber insurance market is projected to reach 22 billion USD. This shows how important IT security risk management is.

Smishing is on the rise

Though it was relatively unknown in its early years, statistics show that smishing is more prevalent than ever. The term itself was introduced in 2006 off the back of phishing, but it hasn’t yet become a part of the general lexicon outside IT circles. 

Statistics on smishing are alarming. In the 3rd quarter of 2020, Proofpoint reported a staggering 328% increase from Q2. This figure highlights the need for greater awareness–and preventative action alongside it. Sadly, when new technologies, like contact center technologies, are adopted, cybercriminals also take advantage of them. 

COVID-19 worsened smishing

The COVID-19 pandemic had consequences beyond the obvious threats to public health. As governments grappled with uncertainty, new rules, and lockdowns, they began to relay key information via SMS. Contact tracing, vaccinations, and lockdown information began arriving via text messages. Never before had government leaders communicated with the population in this way. This shift in communication created a wave of smishing.

During the pandemic, people were more vulnerable to smishing due to increased anxiety, urgency, and new practices. For instance, the Wireless Emergency Alerts (WEA) system was set up to send important emergency alerts to cell phones. State and local governments and public health agencies also got in on the action and sent text messages with updates and guidance. Though these communications were part of broader efforts, they paved the way for fraudsters to reach vulnerable people. This led to numerous data breaches. 

Fake 2FA messages are common

Fraudsters are taking advantage of two-factor authentication messages as more people secure their online accounts in this way. This widely adopted security measure means users need to provide extra verification alongside their passwords. 

Though 2FA has been around as a concept for some time, it only began to be adopted widely in the 2010s. Methods like time-based One-Time Passwords (OTP), and facial and fingerprint recognition are now common. Cybercriminals use smishing to trick people into giving away sensitive data by sending fake 2FA messages. Essentially, these exploit our natural tendency to trust security-related requests, and so we respond promptly without question. 

Hackers will use fake, local numbers

A cunning tactic among hackers is to use fake local numbers. When a number seems to be from your local area, it creates a sense of authenticity. People are more likely to respond to things that are familiar to them. This psychological ploy makes people less suspicious as they are more likely to trust a local source. 

Once again, hackers use legitimate tools like VoIP telephone systems for fraudulent gain. The ease of setting up virtual numbers with VoIP technology has made it simpler for smishers to deceive recipients. Unfortunately, we can’t prevent great technology from being exploited in this way.

Smishing is the most common type of phishing for mobile users

Smishing is the most common way for mobile users to be ‘phished.’ In 2022, more than 30% of users were exposed to attacks every quarter, according to the Global State of Mobile Phishing Report. It was the highest rate ever recorded. After email, this is now one of the most common phishing techniques.

The current threat landscape is indicative of our increasing reliance on mobile technology. Cybercriminals are simply exploiting this trend. As technology continues to advance, users must be vigilant. Understanding the risks and the latest security developments is crucial. Businesses should try to introduce robust cybersecurity programs where they can.

Don’t presume secure apps are protected 

Many phone users prefer messaging apps like WhatsApp, Facebook Messenger, and Signal to stay in touch. But just because these apps utilize forward-thinking features like AI in UX design doesn’t mean they are invulnerable. Anyone can use them, including hackers. 

Any software could be a victim of malware. More and more businesses are working remotely and using technology like remote desktop iPad use, for example. This allows users to access their networks wherever they are. However, this convenience brings about headaches too. Hackers can use remote desktop apps and mobile devices to access screens and control them. This creates a pathway for smishing attacks to infiltrate a supposedly secure environment.

Smishing can be reported 

An important fact to finish with is that anyone can report smishing attempts. All mobile U.S. mobile carriers have come together in the fight against fraud. Anyone who receives a suspicious message can forward it to SPAM or 7726 to report it. When you do this, you get a message back asking you to provide the number that carried out the smishing attempt.

It’s also possible to report messages to Google and Apple from your phone As the sender won’t be in your contacts, the ‘report junk’ option will be visible underneath the message. You can tap this to report it.

Tax and fake delivery notifications are the most common types of smishing

Two of the most widespread types of smishing attacks include messages about taxes and delivery notifications. It’s easy to understand why. A text message alerting you to some tax-related issue is likely to get your attention and prompt quick action from you. 

Similarly, if you are used to shopping online often and are currently expecting a parcel to reach your address, receiving a delivery notification wouldn’t seem that suspicious at first glance. However, you can easily spot signs of smishing by checking your messages a bit more closely. More often than not, you’ll be able to identify parts of the text that are either incorrect or that sound downright “scammy”.