An Understandable Guide to The World of Phishing: Part 3 “Smishing”
“You’ve got a message,” or your phone just “dings.” We all get text messages! Threat actors use text messages to trick you into providing them with your usernames and passwords for your personal/financial accounts or downloading malicious software. Here, in part three of our multi-series blog, “An Understandable Guide to the World of Phishing,” I want to take my time to explain “Smishing” how it works and how to avoid becoming a victim of this form of phishing attack.
“Smishing”-Phishing by Text
Smishing is another phishing attack that uses social engineering by sending fake mobile text messages to trick you into giving your personal or financial information to a threat actor or downloading a malicious application used to gather information.
Threat actors often use a tactic called “spoofing” or impersonate a legitimate business or person you may know, such as a child or a friend. Unfortunately, they also pose as authorized people such as government workers, a bank, another financial institution even your post office.
Oftentimes creating a sense of urgency, smishing text may also contain a link that redirects you to a site that looks legitimate. However, once you enter your personal information, the attacker steals it and either uses the information or sells it to someone who seeks to abuse your personal and financial information.
How Smishing Works
You get a text message stating “It is your credit card company, and you need to tend to your account. IMMEDIATELY! Please follow the link below to resolve your account issue.
You get a balance from them anytime you run your card. So, seeing a text from them is not out of the ordinary so you hit the link. The web browser opens, and it takes you to what appears to be a legitimate site for your credit card company. However, when you put your username and password in, nothing happens!?
Something did happen! A threat actor “spoofed” your credit card company’s phone number. Sent you a malicious text message with a malicious link. They tricked you into providing your username and password to your credit card account. Think about the information in your account, such as your social security number, birthday, full name and address, or your entire credit card number!
Now that you know how smishing works lets investigate what you can do to avoid becoming a victim of “smishing.”
How to Avoid Becoming a Victim of Smishing
Text messaging is an everyday occurrence. This makes us all vulnerable to this kind of attack. There are precautions you can take to avoid becoming a victim of this form of attack. Always question any text messages demanding an IMMEDIATE response! Do not click on links inside text messages! Contact the company or person directly at an official email address or phone number and ask for clarification about the message. Do you know the number? If you do not know who is texting you, do not reply. Always verify the number! Keep your banking and/or credit card information off your phone. Avoid responding to requests asking to change or update your account information via text message.
In conclusion, part one we investigated phishing attacks via email and in part two we learned that vishing delivered to you either by voice call or voicemail. Here in part three, smishing a phishing attack via text messages. Threat actors impersonate a legitimate business or person you may know and send you malicious text with malicious links. To steal your usernames and passwords or to download malicious software that gathers information.
While all three of these look a bit different the goal remains the same! Designed to “trick” you into supplying your personal/financial information or to gain access to your accounts. All three are forms of social engineering that use your emotions against you to steal your personal information and/or take control of your computer, tablet, or phone.
Have you become a victim of a smishing attack? We can help!