What is Smishing and how to defend against it

What is smishing?

Many internet users have heard of phishing, but what about smishing? Smishing is a variant of a phishing cybersecurity attack where victims are deceived into giving sensitive information to a disguised attacker. Smishing (also known as SMS phishing) is the same type of attack, except it’s carried out over mobile text messages instead of email. SMS phishing may be assisted by malware or fraudulent websites that are designed to look authentic. It occurs on many mobile text messaging platforms, including non-SMS channels, such as data-based mobile messaging apps (WhatsApp, iMessage, Facebook Messenger, etc.).

How does smishing work?

Deception and fraud through social engineering are the core components of any SMS phishing attack. Because the attacker assumes an identity that you might trust, you are more likely to succumb to their requests. Social engineering principles allow smishing attackers to manipulate a victim’s decision-making. The driving factors of this deception are three-fold:

Trust: By posing as legitimate individuals and organizations, cybercriminals lower their target’s skepticism. SMS texts, as a more personal communication channel, also naturally lower a person’s defenses against threats.
Context: Using a situation that could be relevant to targets allows an attacker to build an effective disguise. The message feels personalized, which helps it override any suspicion that it might be spam.
Emotion: By heightening a target’s emotions, attackers can override their target’s critical thinking and spur them into rapid action.

Types of smishing attacks

Each smishing attack uses similar methods, while the presentation may vary significantly. Attackers can use a wide variety of identities and premises to keep these SMS attacks unpredictable and difficult to spot.

Unfortunately, a comprehensive list of smishing types is nearly impossible due to the endless reinvention of these attacks. Using a few established scam premises, we can unveil characteristics to help you spot a smishing attack before you become a victim. Here are some common premises of smishing attacks:

COVID-19 smishing

COVID-19 smishing scams are based on legitimate aid programs designed by government, healthcare, and financial organizations for recovery from the COVID-19 pandemic.

Attackers have used these schemes to manipulate victims’ health and finance fears for committing fraud. Warning signs can include:

Contact tracing that asks for sensitive info (social insurance number, credit card number, etc.)
Tax-based financial relief
Public health safety updates

Financial services smishing

Financial services smishing attacks are masked as notifications from financial institutions. Nearly everyone uses banking and credit card services, making them susceptible to both generic and institution-specific messages. Loans and investing are also common premises in this category.

An attacker poses as a bank or other financial institution for an ideal disguise to commit financial fraud. Features of a financial services smishing scam may include an urgent request to unlock your account, being asked to verify suspicious account activity, and more.

Gift smishing

Gift smishing suggests the promise of free services or products, often from a reputable retailer or other company. These can be giveaway contests, shopping rewards, or any number of other free offers. When an attacker elevates your excitement by proposing the idea of “free,” this serves as a logic override to get you to take action faster. Signs of this attack can include limited time offers or exclusive selection for a free gift card.

How to protect yourself from smishing attacks

The good news is that once you’re aware of how smishing works, many of these attacks can be easy to protect against. You can keep yourself safe by doing nothing at all. In essence, the attacks can only do damage if you take the bait.

That said, be mindful that text messaging is a legitimate means for many retailers and institutions to reach you. Not all messages should be ignored, but you should act safely regardless.

There are a few things to keep in mind that will help you protect yourself against these attacks.

Do not respond. Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety over the situation at hand, but you can refuse to engage.
Slow down if a message is urgent. You should approach urgent account updates and limited time offers as caution signs of possible smishing. Remain skeptical and proceed carefully.
Call your bank or merchant directly if doubtful. Legitimate institutions don’t request account updates or login info via text. Furthermore, any urgent notices can be verified directly on your online accounts or via an official phone helpline.
Avoid using any links or contact info in the message that make you uncomfortable. Go directly to official contact channels when you can.
Check the phone number. Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their true phone number.
Opt to never keep credit card numbers on your phone. The best way to keep financial information from being stolen from a digital wallet is to never put it there.
Use multi-factor authentication (MFA). An exposed password may still be useless to a smishing attacker if the account being breached requires a second “key” for verification. MFA’s most common variant is two-factor authentication, which often uses a text message verification code. Stronger variants include using a dedicated app for verification (like Google Authenticator) are available.
Never provide a password or account recovery code via text. Both passwords and text message two-factor authentication recovery codes can compromise your account in the wrong hands. Never give this information to anyone, and only use it on official sites.
Report all SMS phishing attempts to designated authorities.

Remember, like email phishing, smishing is a crime of trickery — it depends on fooling the victim into cooperating by clicking a link or providing information. The simplest protection against these attacks is to do nothing at all. If you don’t respond, a malicious text cannot do anything.

A friendly reminder from Qtrade Direct Investing

At this time, Qtrade will only send you a text message for two-factor authentication when logging into your account. We don’t currently offer SMS for other any other account notifications. In the future, when we enable SMS for other Qtrade services, you will personally enable these services and will be able to recognize that any SMS message you received was at your own request. We will never send you an SMS asking for your account details or password.

Read more about Qtrade’s security guarantee and find out how we safeguard your personal and financial information.

Aviso Wealth Inc. (“Aviso Wealth”) is the parent company of Credential Qtrade Securities Inc. Aviso Wealth is a wholly-owned subsidiary of Aviso Wealth Limited Partnership, which in turn is owned 50% by Desjardins Financial Holdings Inc. and 50% by a limited partnership owned by the five Provincial Credit Union Centrals and the CUMIS Group Limited.

Online brokerage services are offered through Qtrade Investor, a division of Credential Qtrade Securities Inc., a wholly owned subsidiary of Aviso Wealth Inc. and Member of the Canadian Investor Protection Fund.

Northwest & Ethical Investments L.P (“NEI” or “NEI Investments”) is a subsidiary of Aviso Wealth; and NEI Funds are related issuers of Credential Qtrade Securities Inc.

This material is for informational purposes only. While this material has been compiled from sources believed to be reliable, Qtrade Investor does not guarantee the accuracy, completeness, timeliness or reliability of this information. Information, figures and charts are summarized for illustrative purposes only and are subject to change without notice. All investments are subject to risk, including the possible loss of principal.