A combination of SMS–short messaging service, or texting–and phishing, smishing refers to text messages sent by attackers to gain personal and sensitive information. Like spear phishing, smishing attacks rely on tricking users into clicking a link to provide sensitive information, like login credentials which can be used to access target systems, or even deposit malware.
Learn about our 10 requirements for endpoint protection.
This method of attacking has recently become more popular due to the ease of gathering phone numbers, the prevalence of smartphones, and the inferred trust of a text message over a traditional email. While emails can contain any number of letters or special characters, phone numbers around the globe follow specific patterns, such as the three-four-three 10-digit pattern in the U.S., and attackers can try different combinations or send out blasts to a specific range. Additionally, phone numbers are often associated with social media, making them easier to find while also providing attackers a repository of information to make smishing attempts more personalized.
Scammers are also succeeding due to the relationship between a user and their phone. Whether they’re on the go or distracted with something else, users are more likely to trust their smartphones or skim a message rather than reading it carefully. To best protect against smishing – and phishing scams in general – it’s important for users to scrutinize phone numbers, read messages carefully, and never click on an unfamiliar link.
Unfortunately, there is no shortage of phishing attacks on any device. Whether cybercriminals are hunting for credit cards, login credentials, or any other bits of sensitive information, SMS phishing attempts are threats that mobile users need to be prepared for.
A common smishing attack involves banking services. Posing as a legitimate financial institution, these text messages can appear to be time sensitive to encourage victims to log in without thinking critically.
Figure 1: Sample text message alerting victim of account compromise, encouraging them to sign in with link provided
The best way to react to these types of messages is to bypass the link and go directly to the bank itself. Go to the bank’s website, log in to their app or even call a local branch to verify if there are any issues with a bank account.
Another example of smishing attacks takes advantage of multifactor authentication (MFA). Attackers will send credential text messages to users, encouraging them to sign in. Hackers build these pages to look like the authentic credential sites that users are familiar with.
Figure 2: Sample text message encouraging a victim to sign in at the provided link so they can verify their identity.
With attacks like these, users have to think carefully. Have they signed in to something recently? Is this the normal way for them to verify their identity? As with banking institutions, it’s best to go directly to the source and verify. It’s important to note that while some attackers are taking advantage of MFA, the added security of MFA is still an incredibly important defense against cybercrime.
Figure 3 is a realistic example based on a smishing message that one of our employees received.
Figure 3: Screenshot of a smishing attempt with the strange number and incorrect link highlighted
As mentioned earlier, one of the best techniques to avoid being smished is being critical with the text messages you receive. Never click on a link you’re unfamiliar with and don’t feel obligated to respond to a strange text from a number you don’t recognize. If you receive a smishing text in the U.S., you can report it to reportfraud.ftc.gov.
For security professionals, it is important to implement user education. Training and testing your company on how to identify phishing and smishing will greatly reduce the likelihood of a successful phish attempt.
Taking it a step further, another important piece of this puzzle is the organization-wide adoption of a Zero Trust stance. It’s important to monitor your environment with the understanding that nothing should be implicitly trusted – anything in your network can be used against you. Products like endpoint detection and response (EDR) provide broad visibility and machine learning (ML)-based detection for real-time threat analysis. An EDR product can be paired with a security orchestration, automation, and response (SOAR) platform for automation-based threat response.
Learn more about how endpoint and network security work together.
Sign up for a Cortex demo to see how XDR and XSOAR can improve your security posture.