Top 10 Facts about Smishing and How to Defend Against it

With awareness being so limited, it’s no surprise that people don’t know how to differentiate between legitimate messages and smishing attempts. Although knowledge is growing year on year, it’s still a surprise that only 23% of baby boomers knew about it in 2020. Don’t blame age, though–only one-third of millennials knew about it. 

To recognize smishing attempts, individuals need to know about the red flags. These include:

• Urgent requests - a sense of urgency makes people act without thinking things over. 
• Generic greetings - they’ll address you as ‘dear customer’ rather than by your name. 
• Poor use of language - if you see misspellings or grammatical errors, be wary.
• Requests for personal information - legitimate organizations don’t ask for this via text message.
• Unfamiliar links - links within text messages might not be genuine. 

Smishing has the potential to cause large financial losses should people fall victim. With the clever techniques used, victims are encouraged to divulge information like their social security numbers or their account credentials. They then use this data to gain unauthorized access to IT networks and systems, steal identities, and commit data breaches. 

Financial losses can also occur without individuals giving away information. These malicious messages can deliver malware to phones and, therefore, any network that connects to it. This can cause substantial losses for big companies as well as individuals. Besides financial losses, smishing can lead to stolen identities and data breaches. According to research, 90% of data breaches use social engineering components like those seen in smishing attacks. In the next two years, the global cyber insurance market is projected to reach 22 billion USD. This shows how important IT security risk management is.

Though it was relatively unknown in its early years, statistics show that smishing is more prevalent than ever. The term itself was introduced in 2006 off the back of phishing, but it hasn’t yet become a part of the general lexicon outside IT circles. 

Statistics on smishing are alarming. In the 3rd quarter of 2020, Proofpoint reported a staggering 328% increase from Q2. This figure highlights the need for greater awareness–and preventative action alongside it. Sadly, when new technologies, like contact center technologies, are adopted, cybercriminals also take advantage of them. 

The COVID-19 pandemic had consequences beyond the obvious threats to public health. As governments grappled with uncertainty, new rules, and lockdowns, they began to relay key information via SMS. Contact tracing, vaccinations, and lockdown information began arriving via text messages. Never before had government leaders communicated with the population in this way. This shift in communication created a wave of smishing.

During the pandemic, people were more vulnerable to smishing due to increased anxiety, urgency, and new practices. For instance, the Wireless Emergency Alerts (WEA) system was set up to send important emergency alerts to cell phones. State and local governments and public health agencies also got in on the action and sent text messages with updates and guidance. Though these communications were part of broader efforts, they paved the way for fraudsters to reach vulnerable people. This led to numerous data breaches. 

Fraudsters are taking advantage of two-factor authentication messages as more people secure their online accounts in this way. This widely adopted security measure means users need to provide extra verification alongside their passwords. 

Though 2FA has been around as a concept for some time, it only began to be adopted widely in the 2010s. Methods like time-based One-Time Passwords (OTP), and facial and fingerprint recognition are now common. Cybercriminals use smishing to trick people into giving away sensitive data by sending fake 2FA messages. Essentially, these exploit our natural tendency to trust security-related requests, and so we respond promptly without question. 

A cunning tactic among hackers is to use fake local numbers. When a number seems to be from your local area, it creates a sense of authenticity. People are more likely to respond to things that are familiar to them. This psychological ploy makes people less suspicious as they are more likely to trust a local source. 

Once again, hackers use legitimate tools like VoIP telephone systems for fraudulent gain. The ease of setting up virtual numbers with VoIP technology has made it simpler for smishers to deceive recipients. Unfortunately, we can’t prevent great technology from being exploited in this way.

Smishing is the most common way for mobile users to be ‘phished.’ In 2022, more than 30% of users were exposed to attacks every quarter, according to the Global State of Mobile Phishing Report. It was the highest rate ever recorded. After email, this is now one of the most common phishing techniques.

The current threat landscape is indicative of our increasing reliance on mobile technology. Cybercriminals are simply exploiting this trend. As technology continues to advance, users must be vigilant. Understanding the risks and the latest security developments is crucial. Businesses should try to introduce robust cybersecurity programs where they can.

Many phone users prefer messaging apps like WhatsApp, Facebook Messenger, and Signal to stay in touch. But just because these apps utilize forward-thinking features like AI in UX design doesn’t mean they are invulnerable. Anyone can use them, including hackers. 

Any software could be a victim of malware. More and more businesses are working remotely and using technology like remote desktop iPad use, for example. This allows users to access their networks wherever they are. However, this convenience brings about headaches too. Hackers can use remote desktop apps and mobile devices to access screens and control them. This creates a pathway for smishing attacks to infiltrate a supposedly secure environment.

An important fact to finish with is that anyone can report smishing attempts. All mobile U.S. mobile carriers have come together in the fight against fraud. Anyone who receives a suspicious message can forward it to SPAM or 7726 to report it. When you do this, you get a message back asking you to provide the number that carried out the smishing attempt.

It’s also possible to report messages to Google and Apple from your phone As the sender won’t be in your contacts, the ‘report junk’ option will be visible underneath the message. You can tap this to report it.

Two of the most widespread types of smishing attacks include messages about taxes and delivery notifications. It’s easy to understand why. A text message alerting you to some tax-related issue is likely to get your attention and prompt quick action from you. 

Similarly, if you are used to shopping online often and are currently expecting a parcel to reach your address, receiving a delivery notification wouldn’t seem that suspicious at first glance. However, you can easily spot signs of smishing by checking your messages a bit more closely. More often than not, you’ll be able to identify parts of the text that are either incorrect or that sound downright “scammy”.