Smishing on the Rise
Smishing is a relatively new form of cyberattack that’s threatening millions of consumers and small businesses worldwide. Criminals like smishing because people tend to trust text messages, as opposed to email. One reason for this is that there’s now a high level of awareness around fraudulent and phishing emails. Research shows that the average SMS open rate is 98%, compared to just 20% for emails.
Mobile phones are also not typically what people think of as likely threat vectors; they’re such a personal device that the idea a cybercriminal could drain your bank account from one is unthinkable. Those who fall prey to smishing attacks can have their identities stolen, bank accounts emptied, or end up with malware installed on their phone.
The word “smishing” comes from combining “SMS” with “phishing,” the practice of stealing personal or financial information through deceptive communications, primarily emails. Like phishing emails, smishing texts are social-engineering scams that rely on exploiting human trust rather than technical exploits to manipulate people into giving out sensitive data such as Social Security numbers, credit card numbers, and account passwords or providing access to a business’s computer system. They rely on persuading you that the sender is a familiar or trusted source and that urgent action is needed to secure a benefit, resolve a problem or avert a threat.
Smishing texts usually come in the form of a text that appears to come from a bank, a utility company, a government agency (such as the IRS), a delivery service, or some other seemingly credible source. For example, you may receive a text message that seems to be from your bank: “Dear customer, Bank of America needs you to verify your PIN immediately to confirm you’re the proper account holder. Some accounts have been breached. We urgently ask you to protect yourself by confirming your info here.”
How Does Smishing Work?
In a typical smishing scam, victims are instructed to perform a variety of self-damaging actions in the misguided belief they are getting something useful, such as activating a credit card, getting a prize or exclusive offer, or protecting themselves from some immediate threat (such as a warning they have been infected with malware).
These actions can include:
- Replying to the SMS with specific personal information
- Clicking a link that directs them to a credible-looking website to disclose personal details
- Wire money into the criminal’s bank accounts
- In other cases, even just clicking on a fraudulent link in one of these texts can install malware on the person’s phone designed to enable fraudsters to gain control over the device and compromise sensitive information.
Sometimes, attackers may use a multipronged approach – SMS coupled with a call or a text telling you to look out for an email. By going through different channels simultaneously, people often believe that only a legitimate organization would have all their details.
Smishing is on the Rise
According to the FBI Internet Crime Report, this new form of attack cost Americans more than $50m in 2020, and those costs are expected to rise significantly. Smishing texts now outnumber scam phone calls, according to call-blocking service Robokiller. The company’s 2021 mid-year report projects that Americans will have received 86 million scam texts — a 55% increase from 2020 — compared to 71 million crooked calls by the end of the year. Robokiller estimates that those smishing messages will cost consumers $101 million in 2021.
The coronavirus pandemic unleashed a raft of new phishing schemes, especially targeting unemployment insurance benefits and personal information. The Federal Trade Commission recently issued a warning about a smishing scheme targeting millions of smartphones nationwide to dupe users into clicking malicious links portrayed as forms for refiling or verifying unemployment benefits.
Criminals took advantage of Covid unemployment programs, costing American taxpayers tens of billions of dollars. Here in California, it’s estimated that more than $30 billion in fraudulent unemployment claims were paid out. Nationwide, the number is staggering at more than $200 billion. If you fell for a smishing unemployment scam and gave someone your sensitive information, you can visit https://identitytheft.gov/unemploymentinsurance to report that someone has misused your personal information to claim UI benefits.
How to Protect Yourself from Smishing Attacks
Detecting and preventing social engineering techniques such as smishing requires a unique approach. It’s far easier to block email phishing on corporate-owned PCs, but today’s remote workers now use their personal devices to access corporate apps and data. Since there’s just no easy way to verify the authenticity of URLs on smartphones, users often just click and hope for the best.
The best way to counter these attacks is to be more aware. While corporations such as banks and delivery services may send text messages occasionally, they rarely require customers to respond with personal information. Here are a few things you can do:
- Never click links, reply to text messages or call back when receiving messages from unrecognized numbers;
- Do not respond to suspicious inquiries shared via text, even if the message requests you to “text STOP” to end communication;
- Validate suspicious texts purportedly from companies or government agencies by searching official websites and communicating separately.
To learn more about our IT services, contact Alvarez Technology Group today.