SMS scams, also known as smishing, involve fraudulent attempts to deceive individuals through text messages. Scammers use various tactics, such as posing as legitimate entities, to trick recipients into disclosing personal information, clicking on malicious links, or making unauthorized payments. These text messages often impersonate legitimate sources, such as banks, government agencies, or reputable companies, to gain the recipient's trust.  Many of the characteristics of phishing attacks will appear in smishing attacks. Smishing attacks can take various forms and may involve multiple tactics, including:
young black woman looking at her phone

  • Spoofing: Attackers forge the sender's phone number to make it appear that the message comes from a trusted source.  Scammers may choose country and area codes that appear familiar or less likely to raise suspicion among the recipients. This could include numbers associated with well-known businesses or services.
  • Deceptive Content: Smishing messages typically contain urgent or enticing content to provoke an immediate response. This may include fake invoices, security alerts, or offers.
  • Malicious Links: Smishers include links that lead to fake websites that mimic legitimate ones. These sites capture login credentials or install malware on the victim's device.
  • Attachments: Some smishing messages contain malicious attachments, such as infected documents or executable files, which can compromise the recipient's system.
  • Unsolicited Messages: Unexpected text messages from unknown numbers or entities may be a sign of a smishing attempt.
  • Urgent Language: Messages that create a sense of urgency, pressure you to act quickly, or threaten consequences for not complying are common.
  • Unusual Requests: Requests for sensitive information, such as passwords or financial details, via text messages should raise suspicion.
  • Check the Sender's phone number: Examine the sender's phone number carefully. 
  • Inspect the Message Content: Be cautious of urgent or threatening language. Verify the message's legitimacy by contacting the supposed sender through official and separate channels. Look for misspelled domain names or suspicious variations.
  • Check for Generic Greetings: Smishing messages often use generic greetings like "Dear User" instead of your name.
  • Beware of Attachments: Don't open attachments from unknown or unverified sources. Confirm the legitimacy of the sender before opening any files.
  • Verify the Sender: Double-check the sender's information and be cautious of unsolicited messages, especially if they ask for personal or financial details.
  • Do Not Click on Links: Avoid clicking on links or downloading attachments from unknown or suspicious messages.
  • Use Security Software: Install reputable security software on your mobile device to detect and prevent smishing attempts.
  • Enable Two-Factor Authentication: Enable two-factor authentication for your accounts to add an extra layer of security.
  • Education and Training: Provide cybersecurity awareness training to recognize smishing attempts.
  • Verify Requests: Independently verify any unusual requests for sensitive information or funds transfers, especially if received via SMS.
  • Use Strong, Unique Passwords: Encourage unique passwords for all online accounts and consider using a password manager. See  Cyber Crime Prevention for more information.
  • Enable Multi-Factor Authentication (MFA): Implement MFA wherever possible to add an extra layer of security.
  • Keep Software Updated: Regularly update operating systems, browsers, and antivirus software to patch known vulnerabilities.
  • Scrub Phone Numbers on the Web: Remove your phone numbers from websites because attackers will harvest them and use the website context to craft tempting smishing lures.
  • Do Not Respond: If you receive a suspicious message, do not respond or provide personal information.
  • Delete the Message: Delete the smishing message to prevent accidental interaction with malicious content.
  • Change Credentials: Immediately change passwords for compromised accounts and enable MFA if available.
  • Report the Attack: Forward suspicious texts to 7726 (SPAM) to alert your carrier. Report the smishing incident to your mobile carrier, your organization's IT or security team (if the device is theirs), and  the proper authorities

References:

  1. Better Business Bureau (BBB). (2023). Smishing Alerts. https://www.bbb.org/us/news?search=smishing
  2. Consumer Reports. (2023). Smishing: A Silly Word for a Serious Fraud Risk. Retrieved from https://www.consumerreports.org/money/scams-fraud/smishing-a-silly-word-for-a-serious-fraud-risk-a8541743941/.
  3. Cybersecurity & Infrastructure Security Agency (CISA). (2021). Avoiding Social Engineering and Phishing Attacks. Retrieved from https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks.
  4. Cybersecurity & Infrastructure Security Agency (CISA). (2011). Cyber Threats to Mobile Phones Retrieved from https://www.cisa.gov/sites/default/files/publications/cyber_threats_to_mobile_phones.pdf.
  5. Federal Trade Commission (FTC). (2022). How to Recognize and Report Spam Text Messages. Retrieved from https://www.consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages.
  6. Ogino, K. (2024, March 7). New Python-Based Snake Info Stealer Spreading Through Facebook Messages. The Hacker News. Retrieved from https://thehackernews.com/2024/03/new-python-based-snake-info-stealer.html