Smishing is a form of phishing in which an attacker uses a compelling text message to trick targeted recipients into clicking a link and sending the attacker private information or downloading malicious programs to a smartphone. Show
Most of the 3.5 billion smartphones in the world can receive text messages from any number in the world. Many users are already aware of the dangers of clicking a link in email messages. Fewer people are aware of the dangers of clicking links in text messages. Users are much more trusting of text messages, so smishing is often lucrative to attackers phishing for credentials, banking information and private data. How Smishing WorksMost smishing attacks work like email phishing. The attacker sends a message enticing the user to click a link or asks for a reply that contains the targeted user’s private data. The information an attacker wants can be anything, including:
Smishers use a variety of ways to trick users into sending private information. They may use basic information about the target (such as name and address) from public online tools to fool the target into thinking the message is coming from a trusted source. The smisher may use your name and location to address you directly. These details make the message more compelling. The message then displays a link pointing to an attacker-controlled server. The link may lead to a credential phishing site or malware designed to compromise the phone itself. The malware can then be used to snoop the user’s smartphone data or send sensitive data silently to an attacker-controlled server. Social engineering is used in combination with smishing. The attacker might call the user asking for private information before sending a text message. The private information can then be used in the smisher’s text message attack. Several telecoms have tried to fight social engineering calls by displaying “Spam Risk” on a smartphone when a known scam number calls the user. Malware is often stopped by basic Android and iOS security features. But even with robust security controls on mobile operating systems, no security controls can combat users who willingly send their data to an unknown number. An Example of a Smishing AttackMany attackers use automation to send several users their text messages using an email address to avoid detection. The phone number listed in caller ID is usually a number that points to an online VoIP service such as Google Voice, where you can’t look up the number’s location. The following image displays a sample smishing attack. Here, the attacker poses as the IRS and threatens the recipient with arrest and financial ruin unless they call the number in the text. If the recipient calls, they get scammed into sending money.
A more common smishing attack uses brand names with links purported to be to the brand’s site. Usually, an attacker will tell the user that they’ve won money or provide a malicious link purported to be for tracking packages, as in the following example.
The language in the above message should be a warning sign for users familiar with the way smishing works. But many users trust SMS messages and aren’t thrown off by informal language. Another warning sign is the URL: it does not point to an official FedEx URL. But not all users are familiar with official brand URLs and may ignore it. Attackers use this type of message because someone is always waiting on a FedEx package. If the message is sent to thousands of recipients, it can trick many of them. The link typically points to a site hosting malware or prompts the user to log in to their account. The authentication page is not on the official FedEx site, but it’s more difficult to see the full URL on a smartphone browser, and many users won’t bother checking. Smishing attackers use a messages that a user might be expecting. Other lure victims with promises of prize money if they enter private information. The following image is another smishing attack using Amazon’s brand name:
Again, the language in the above attack should make recipients suspicious, but users trust informal conversations in text. The link in this message points to a .info site unrelated to Amazon web properties. The domain has already been removed and no longer accessible. But chances are the link pointed to a page that attempts to collect private data, including credentials. The URL in these attacks usually redirects users to an attacker-controlled server where the phishing content displays. How to Protect from Smishing AttacksLike email phishing, protection from smishing depends on the targeted user’s ability to identify a smishing attack and ignore or report the message. If a phone number is often used in scams, the telecom might warn users who receive messages from a known scam number or drop the message altogether. Smishing messages are dangerous only if the targeted user acts on it by clicking the link or sending the attacker private data. Here are a few ways to detect smishing and to avoid becoming a victim:
Threat Report: Proofpoint State of Phish ReportDo you have a good sense of cybersecurity best practices and how to fight phishing attacks? Our 2020 State of the Phish report brings you critical insights. Read More Reduce phishing susceptibility with Proofpoint Phishing Awareness TrainingFind out how our Anti-Phishing Training Program can help you identify and reduce employee susceptibility to phishing and spear phishing in four steps. Read More Fighting Credential Phishing by Isolating and Protecting Your At-Risk UsersAs new pandemic themed phishing tactics arise, credential phishing remains one of the most common tactics used by threat actors. Learn how to defend against these attacks. Read More The Ponemon 2021 Cost of Phishing StudyThe financial effects of phishing attacks have soared as organizations shift to remote and hybrid work. Read the 2021 Ponemon Cost of Phishing Study to learn more. Read More Texting Scams: Five Ways to Avoid Smishing in 2021Mobile and email messaging volumes continues to increase globally, and in 2021 the amount of mobile messaging traffic in particular doesn’t show any signs of slowing down. Read More Mobile Phishing Increases More Than 300% as 2020 Chaos ContinuesCybercriminals are actively taking advantage of our new digital realities with an onslaught of mobile/text-message phishing (Smishing) attacks that claim to be from reputable companies. Read More What Is Vishing?Vishing uses fraudulent phone numbers and social engineering to trick users into sharing sensitive info. Learn about vishing attacks and how to defend against them. Read More What Is Phishing?Learn what phishing is, the history, how it works, and more. Find out how Proofpoint can help protect your people and organization from phishing attacks. Which of the following should be included in an effective signature block in a business email?Your email signature is one of the main things people use to identify your emails, so knowing what to include in an email signature is important. Your email signature should include your full name, contact information, job information, any important links, legal requirements, a call to action, and your pronouns.
Which of the following is the best way to make a business phone call more personal?Which of the following is the best way to make a business phone call more personal? You should use your caller's name.
What tone and language conventions should you use and not use when texting in the workplace?Be aware of your tone.
Try to write in complete sentences to prevent sounding abrupt, and always read your message out loud to make sure it doesn't sound too harsh. "Avoid negative words such as 'failure,' 'wrong,' or 'neglected,' " Pachter writes.
Which statements are true of the demands placed upon the recipient of a business email?Which statements are true of the demands placed upon the recipient of a business email? Emails add to the amount of work a recipient must do. Emails often disrupt other work tasks.
|
