Smishing: The elephant in the room

Luis Corrons 10 Feb 2023

It's important to be vigilant and cautious when receiving text messages from unknown or unexpected sources.

Phishing is undoubtedly one of the most popular ways for cybercriminals to start a malicious attack, whether they're looking to steal someone’s identity or distribute malware. Since the emergence of phishing, this attack vector has only been growing and it doesn’t look like it's going away any time soon. 

The Anti-Phishing Working Group (of which Avast is a member) is a non-profit organization that has been helping in the fight against phishing since 2003. In its latest quarterly report, the group affirmed that it has been “the worst quarter for phishing that APWG has ever observed”. 

Today, I’d like to talk about a kind of phishing that isn’t as frequently mentioned, despite the fact that it has gained a lot of popularity among cybercriminals in the last few years: Smishing. 

Smishing, or phishing via SMS, is a popular tactic among cybercriminals because it takes advantage of the widespread use of text messaging as well as the sense of trust that people have in text messages coming from trusted sources, such as banks or government agencies. Furthermore, SMS have a higher open rate compared to emails, making it more likely that the victims will see and respond to the smishing message. 

How does smishing work?

The tactics used in these messages are similar to email scams. Text messages often create a sense of urgency and strive to be perceived as time sensitive, which can increase the likelihood of a victim taking immediate action without thinking twice. When paired with their high open rates (some marketing studies put SMS open rates as high as 98%), it clearly explains why this attack vector is attractive for bad actors.

Another advantage for cybercriminals is that most spam filters have been created to detect and block phishing emails, not text messages. An additional benefit for cybercriminals is that SMS are opened on mobile devices, which although they’re often considered safer by users, the number of mobile devices protected by antivirus software is much lower than that of personal computers (on which people are more aware of the risks that come along with not being protected).

The most common topics used in smishing attacks

Reading through real-life examples of cyberattacks is ultimately the best way to begin recognizing smishing messages. Here are a few of the most common smishing attacks; however, never underestimate the lengths to which cybercriminals will go. 

  • Financial alerts: Smishers will often send text messages pretending to be a bank or financial institution, claiming that there has been suspicious activity on the victim's account and urging them to click on a link to resolve the issue. 

  • Package delivery notifications: Attackers may also send fake delivery notifications claiming that a package could not be delivered and asking the recipient to click on a link to track the package.

  • Tax alerts: There are also smishing messages claiming to be from a government tax agency, such as the IRS or other tax agencies, asking the recipient to click on a link to resolve some situation.

  • Charity scams: Smishers claim to be from a charity or non-profit organization, asking victims for a donation and providing a link to make a contribution.

  • Lottery scams: These messages announce that the recipient has won a competition or lottery and ask them to click on a link to claim their prize.

It's important for individuals to be vigilant and cautious when receiving text messages from unknown or unexpected sources, especially if they contain links or request sensitive information. Never click on links or provide personal information in response to a text message that you receive without verifying the identity of the sender first. It's also critical to have protection installed on your phone, so even if you click on a malicious link, you can remain protected.

--> -->