It's important to be vigilant and cautious when receiving text messages from unknown or unexpected sources.
Phishing is undoubtedly one of the most popular ways for cybercriminals to start a malicious attack, whether they're looking to steal someone’s identity or distribute malware. Since the emergence of phishing, this attack vector has only been growing — and it doesn’t look like it's going away any time soon.
The Anti-Phishing Working Group (of which Avast is a member) is a non-profit organization that has been helping in the fight against phishing since 2003. In its latest quarterly report, the group observed 877,536 phishing attacks.
Today, I’d like to talk about a kind of phishing that isn’t as frequently mentioned, even though it has gained a lot of popularity among cybercriminals in the last few years: smishing.
Smishing, or phishing via SMS, is a popular tactic among cybercriminals because it takes advantage of the widespread use of text messaging. It also takes advantage of the sense of trust that people have in text messages coming from trusted sources, such as banks or government agencies. Furthermore, SMS have a higher open rate compared to emails, making it more likely that the victims will see and respond to the smishing message.
How does smishing work?
The tactics used in these messages are similar to email scams. Text messages often create a sense of urgency and strive to be perceived as time sensitive, which can increase the likelihood of a victim taking immediate action without thinking twice. When paired with their high open rates (some marketing studies put SMS open rates as high as 98%), it clearly explains why this attack vector is attractive for bad actors.
Another advantage for cybercriminals is that most spam filters have been created to detect and block phishing emails, not text messages. An additional benefit for cybercriminals is that SMS are opened on mobile devices, which—although they’re often considered safer by users—the number of mobile devices protected by antivirus software is much lower than that of personal computers (on which people are more aware of the risks that come along with not being protected).
The most common topics used in smishing attacks
Reading through real-life examples of cyberattacks is ultimately the best way to begin recognizing smishing messages. Here are a few of the most common smishing attacks; however, never underestimate the lengths to which cybercriminals will go.
- Financial alerts: Smishers will typically send text messages pretending to be a bank or financial institution, claiming that there has been suspicious activity on the victim's account and urging them to click on a link to resolve the issue.
- Package delivery notifications: Attackers may also send fake delivery notifications claiming that a package could not be delivered and asking the recipient to click on a link to track the package.
- Tax alerts: There are also smishing messages claiming to be from a government tax agency, such as the IRS or other tax agencies, asking the recipient to click on a link to resolve some situation.
- Charity scams: Smishers claim to be from a charity or non-profit organization, asking victims for a donation and providing a link to make a contribution.
- Lottery scams: These messages announce that the recipient has won a competition or lottery and ask them to click on a link to claim their prize.
How to protect yourself against smishing attacks
Here’s how to dodge those shady messages and keep your personal information safe:
1. Don’t trust, just verify
If you get a text from your bank or a well-known company, don’t take it at face value. Look up the company’s official contact number and call them directly instead of clicking any links in the message.
2. Watch for red flags in messages
Suspicious texts often come with:
- Grammar and spelling errors.
- A sense of urgency: “Your account will be locked in 24 hours!”
- Shortened URLs (like bit.ly links). Legit companies usually send full URLs or links you can trust.
3. Avoid clicking links
Even if the message looks legit, it’s best to avoid any links. Some links can lead to fake sites designed to steal your data or install malware on your device.
4. Don’t reply
Responding confirms to the scammer that your number is active. They may start sending even more phishing messages (or worse, share your number with other scammers). Just delete it.
5. Set up two-factor authentication
Enable 2FA on your bank accounts, email, and social media. That way, even if a smisher gets your password, they’d still need the additional authentication code to get into your account.
6. Use security software
Security apps can detect and block phishing attacks. A robust anti-malware app can help protect you from malicious links and apps that try to access your personal info.
7. Report smishing attempts
Reporting these messages helps others from falling for the same tricks. You can report suspicious texts to your phone carrier or forward them to the FTC at 7726 (SPAM) in the U.S.
Don't fall for the hook
It's important for individuals to be vigilant and cautious when receiving text messages from unknown or unexpected sources, especially if they contain links or request sensitive information. Never click on links or provide personal information in response to a text message that you receive without verifying the identity of the sender first. It's also critical to have protection installed on your phone, so even if you click on a malicious link, you can remain protected.
