Smishing (‘SMS’ + ‘phishing’) is a cyberattack that uses misleading text messages to trick victims into sharing valuable information, installing malware or giving away money.
Smishing is a variation of the email-based phishing scams that have been around since the 1990s. One statistic explains why attackers are putting so much effort into developing these scams.
Specifically, 98% of text messages are read, and 45 are responded to, while the equivalent numbers for email are 20% and 6%, respectively. As users became more overwhelmed by constant emails and are suspicious of spam, text messages have become a more attractive attack vector, exploiting the more intimate relationships we have with our phones. In addition, people are often less watchful for suspicious messages on their phones than on their computers, and their personal devices generally lack the type of security available on corporate PCs.
This new take on an old trick is becoming increasingly widespread, and smishing attacks can be broken down into the following three broad categories:
1. Attempts to trick you into revealing credentials.
Smishers may try to convince you to give up your username and password combo or other confidential information, which they can then use to log into one of your online accounts. Your bank is one of the most lucrative and common contexts for this category of attack.
2. Attempts to trick you into downloading malware.
This sort of attack draws parallels to one of the primary end games for email phishing, though the techniques are adapted for mobile users and mobile technologies.
3. Attempts to trick you into sending someone money.
This version of smishing is more the domain of the con artist than the tech wizard, but it’s still something that’s a real concern. While those scams play on the victim’s desperation or greed, some take the opposite approach: exploiting their generosity.