What is Smishing and how to defend against it
What is smishing?
Many internet users have heard of phishing, but what about smishing? Smishing is a variant of a phishing cybersecurity attack where victims are deceived into giving sensitive information to a disguised attacker. Smishing (also known as SMS phishing) is the same type of attack, except it’s carried out over mobile text messages instead of email. SMS phishing may be assisted by malware or fraudulent websites that are designed to look authentic. It occurs on many mobile text messaging platforms, including non-SMS channels, such as data-based mobile messaging apps (WhatsApp, iMessage, Facebook Messenger, etc.).
How does smishing work?
Deception and fraud through social engineering are the core components of any SMS phishing attack. Because the attacker assumes an identity that you might trust, you are more likely to succumb to their requests. Social engineering principles allow smishing attackers to manipulate a victim’s decision-making. The driving factors of this deception are three-fold:
- Trust: By posing as legitimate individuals and organizations, cybercriminals lower their target’s skepticism. SMS texts, as a more personal communication channel, also naturally lower a person’s defenses against threats.
- Context: Using a situation that could be relevant to targets allows an attacker to build an effective disguise. The message feels personalized, which helps it override any suspicion that it might be spam.
- Emotion: By heightening a target’s emotions, attackers can override their target’s critical thinking and spur them into rapid action.
Types of smishing attacks
Each smishing attack uses similar methods, while the presentation may vary significantly. Attackers can use a wide variety of identities and premises to keep these SMS attacks unpredictable and difficult to spot.
Unfortunately, a comprehensive list of smishing types is nearly impossible due to the endless reinvention of these attacks. Using a few established scam premises, we can unveil characteristics to help you spot a smishing attack before you become a victim. Here are some common premises of smishing attacks:
COVID-19 smishing scams are based on legitimate aid programs designed by government, healthcare, and financial organizations for recovery from the COVID-19 pandemic.
Attackers have used these schemes to manipulate victims’ health and finance fears for committing fraud. Warning signs can include:
- Contact tracing that asks for sensitive info (social insurance number, credit card number, etc.)
- Tax-based financial relief
- Public health safety updates
Financial services smishing
Financial services smishing attacks are masked as notifications from financial institutions. Nearly everyone uses banking and credit card services, making them susceptible to both generic and institution-specific messages. Loans and investing are also common premises in this category.
An attacker poses as a bank or other financial institution for an ideal disguise to commit financial fraud. Features of a financial services smishing scam may include an urgent request to unlock your account, being asked to verify suspicious account activity, and more.
Gift smishing suggests the promise of free services or products, often from a reputable retailer or other company. These can be giveaway contests, shopping rewards, or any number of other free offers. When an attacker elevates your excitement by proposing the idea of “free,” this serves as a logic override to get you to take action faster. Signs of this attack can include limited time offers or exclusive selection for a free gift card.
How to protect yourself from smishing attacks
The good news is that once you’re aware of how smishing works, many of these attacks can be easy to protect against. You can keep yourself safe by doing nothing at all. In essence, the attacks can only do damage if you take the bait.
That said, be mindful that text messaging is a legitimate means for many retailers and institutions to reach you. Not all messages should be ignored, but you should act safely regardless.
There are a few things to keep in mind that will help you protect yourself against these attacks.
- Do not respond. Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety over the situation at hand, but you can refuse to engage.
- Slow down if a message is urgent. You should approach urgent account updates and limited time offers as caution signs of possible smishing. Remain skeptical and proceed carefully.
- Call your bank or merchant directly if doubtful. Legitimate institutions don’t request account updates or login info via text. Furthermore, any urgent notices can be verified directly on your online accounts or via an official phone helpline.
- Avoid using any links or contact info in the message that make you uncomfortable. Go directly to official contact channels when you can.
- Check the phone number. Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their true phone number.
- Opt to never keep credit card numbers on your phone. The best way to keep financial information from being stolen from a digital wallet is to never put it there.
- Use multi-factor authentication (MFA). An exposed password may still be useless to a smishing attacker if the account being breached requires a second “key” for verification. MFA’s most common variant is two-factor authentication, which often uses a text message verification code. Stronger variants include using a dedicated app for verification (like Google Authenticator) are available.
- Never provide a password or account recovery code via text. Both passwords and text message two-factor authentication recovery codes can compromise your account in the wrong hands. Never give this information to anyone, and only use it on official sites.
- Report all SMS phishing attempts to designated authorities.
Remember, like email phishing, smishing is a crime of trickery — it depends on fooling the victim into cooperating by clicking a link or providing information. The simplest protection against these attacks is to do nothing at all. If you don’t respond, a malicious text cannot do anything.
A friendly reminder from Qtrade Direct Investing
At this time, Qtrade will only send you a text message for two-factor authentication when logging into your account. We don’t currently offer SMS for other any other account notifications. In the future, when we enable SMS for other Qtrade services, you will personally enable these services and will be able to recognize that any SMS message you received was at your own request. We will never send you an SMS asking for your account details or password.
Read more about Qtrade’s security guarantee and find out how we safeguard your personal and financial information.
Online brokerage services are offered through Qtrade Direct Investing, a division of Credential Qtrade Securities Inc. Qtrade, Qtrade Direct Investing, and Write your own future are trade names and/or trademarks of Aviso Wealth.