We got used to SMS notifications and phishers are capitalizing on it

A rising onslaught of phishing messages delivered via SMS (aka “smishing”) has been hitting mobile users around the world in the last few months.

The fake messages impersonate payment, package delivery and streaming services, government and healthcare organizations, popular IT and email providers, online retailers, hospitality organizations, and so on.

SMS phishing is popular because it’s effective

The attackers’ goal is to get users to share sensitive information either via SMS or by entering it into a spoofed website. The sensitive information the phishers are after includes personal and financial info, online banking and various other account credentials, tax-related information, electronic IDs and associated passwords, etc. Occasionally, the goal extends to getting users to install mobile malware or sign up for pricy services.

The messages take the form of alerts about recipients being eligible to apply for the COVID-19 vaccine, fake notifications about missed deliveries and/or requirements to pay for specific deliveries, messages offering financial help from the government, prizes won…

The variety of lures/pretexts is seemingly endless, but they are designed to take advantage of:

• Our emotions and cognitive failings
• Our trust in authority
• Our unfamiliarity with technology and various modern processes
• The fact that some red flags are hard to spot on mobile phones, and
• The fact that being contacted via SMS by various services and government institutions is becoming less unusual with each day that passes

How to spot smishing?

While it’s possible that the mobile phone of one of your contacts has been compromised and attackers are using it to send out smishing messages from it, such an occurrence is extremely rare and limited to targeted attacks.

Most smishing attempts come from unknown and unlisted phone numbers, so it’s difficult to verify the identity of the sender. It’s also difficult to see where the shortened URL included in the message actually points as you can’t hover with a mouse pointer over the link to check.

Your capability to recognize smishing depends on:

• Your awareness of the existence of the practice
• Whether you are tired, in a hurry or simply not paying enough attention
• Whether you are susceptible to curiosity, panic, the fear of missing out, and other emotions that make us temporarily suspend logical reasoning

The most important thing to do when you receive an unsolicited SMS that comes with an offer to good to be true, tries to get you to do something quickly, or threatens you with a fine, the prospect of losing control of an account, or tells you your order will not be delivered, is to stop and think.

If you’re not 100 percent sure that the SMS is coming from a legitimate, not fraudulent sender, you should do some digging.

If the message purports to be from your bank, go check your account by entering the bank’s website address directly into a browser or contact the bank by phone – but don’t use any of the links or phone numbers included in the SMS to do it.

The same advice goes for suspicious messages purporting to come from Amazon, PayPal, DHL, a tax authority, a police department or law enforcement agency, a healthcare organization, Apple, Google, a mobile carrier, Facebook, Netflix, and so on: if you have an account with the service, you can access it independently and check if there’s really a message for you. If not, pick up the phone and contact the service/institution directly. In short, use known legitimate channels to check whether the message is legitimate.

Unfortunately, until telecoms come up with more effective ways to prevent phishing SMS messages from being delivered – and do it consistently by adapting those defenses to stymie new tricks attackers regularly come up with – we have to be careful and not trust implicitly each and every SMS we receive.