What is smishing and how to protect against it

What is smishing and how to protect against it
Smishing is a blend of two words: "SMS" (short message services, better known as texting) and "phishing." When cybercriminals "phish," they send fraudulent emails in an attempt to trick the recipient into opening an attachment that contains malware or clicking on a malicious link. Smishing simply uses text messages instead of email.

Proactive vulnerability management - get instant visibility into where your IT services might be vulnerable with APEX® Secure
Detect cybercrime in minutes with APEX® ATD
Get your business a Cyber Essentials certification

How common are smishing attacks?

Reports of smishing in the UK rose nearly 700% in the first half of 2021, according to a study by Proofpoint. The most common type of smishing involves parcel and package delivery scams, which made up to 67.4% of all smishing attempts last year. Other frequently encountered smishing attempts include:
  1. Urgent notifications regarding credit card payment
  2. Act-now coupons with special discounts
  3. Request for survey/feedback from customer support
  4. Unusual account activity alerts
  5. Unknown service charges
  6. Flash sales and giveaways
  7. Instant student loans

Why are smishing attacks effective?

When people are on their phones, they are less wary. We often use our smartphones when we're on the go and it's precisely then that we're more likely to act on a request, seemingly from our bank, or redeem a discount voucher. In addition, many assume that their smartphones are more secure than their computes. But smartphone security has limitations, and cannot directly protect against smishing.

How to avoid falling for a smishing scam?

The average SMS open rate is 98% compared to just 20% for emails, according to Gartner, making smishing scams extremely potent and persuasive. Here are a few tips to prevent smishing:

1. Do not click on links sent via text message Never click a reply link or phone number in a message you're not sure about. Navigate to the website manually instead of clicking on the link to avoid being scammed.
Also, remember that no financial institution will ask you to update your information via text. If you get a message that seems to be from your bank and it asks you to click on something in the message, it's a fraud.

2. Look for misspelled words Make sure you check for check for tell-tale signs of smishing such as poorly crafted sentences, improper grammar, and misspelled words.

3. Verify the number before initiating contact Smishing messages typically come from random or strangely formatted numbers. Determine if a number is legitimate by calling the contact number displayed on the website of the concerned organization to determine if the message appearing to be from them is indeed legitimate.

4. Consider your digital footprint Publicly available information can help criminals improve the credibility of their phishing messages. Review your privacy settings on social media to ensure hackers cannot retrieve your mobile number.
  • Tags