Text Me When You Get Pwned: What is SMShing and How Do I Protect Myself?

Estimated difficulty: 💜🤍🤍🤍🤍

What is SMShing?

SMShing (AKA Smishing) is a type of social engineering attack conducted over text messages, also known as SMS phishing. Social engineering attacks rely on exploiting human behaviour and reaction rather than a technical vulnerability. Criminals who “SMSh” or “phish” are usually financially motivated, using stolen information to steal money or to sell in forums or sites on the darkweb.

Attackers send fraudulent messages to victims in an attempt to deceive a victim into disclosing sensitive information by using attached website links or phone numbers for end-users to access or contact.

Typically once a victim has clicked the link, they are taken to a web page that will ask them to submit their personal information (such as your bank details, or credentials for a login). Many of these web pages are designed to look legitimate, fooling the user that they are using the genuine website. Alternatively they may be directed to a phoneline that is managed by the attacker, using further social engineering techniques to retrieve the information over the phone.

Attackers may also attach malicious links to texts to attempt to install malware onto a victim’s phone. Malware may disguise itself as a legitimate application on the phone, and may try to steal information or data from the mobile device itself.

Often attackers will impersonate organisations such as your bank, a phone company, a retailer, or law enforcement (to name a few). Abusing the likelihood of an end-user trusting a known organisation, victims may unfortunately be more likely to disclose information or comply with requests.

Attackers may also “spoof” their identify by changing their Sender ID so it looks like it is coming from someone you know.

Source: The AntiSocial Engineer

Attackers may also use several techniques to try to persuade a victim of a text’s legitimacy, using tones of urgency (“you must take action now to avoid your account being deleted”), relevant context (such as a “Track Your Parcel” link when you have been expecting a parcel!) and emphasis on emotion. A combination of these techniques take advantage of human psychology, and tricks the mind without you even knowing it.

“IRL” Examples…

Source: Surrey Live
Source: Proofpoint
Source: University of Arkansas

How do I protect myself?

The number one tip for any SMShing scam, is to ignore and not respond to the requests. The likelihood is that the attacker has used a campaign to distribute hundreds, if not thousands, of text messages with the hope of capturing at least one victim’s attention.

If you are concerned, contact the organisation directly using legitimate ways of contact via. official websites or contact forms.

It is important to also be mindful of any links in any text message, and avoid clicking them until you have verified it’s legitimacy with the organisation.

As a general rule of thumb, be wary of requests that ask for personal information and again verifying them with the organisation to ensure it is genuine. Never provide your password if prompted, and implement multi-factor authentication if you are able.

(You can find our more about multi-factor authentication in my blog post “You Shall Not Pass: Authentication 101” here)

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.