Nov 2, 2021
0 0

What is Smishing? The 101 guide

Written by

We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Cybersecurity Month: Save 25% on EP and EDR for your business – BUY NOW

Posted: by
Smishing is a valuable tool in the scammer’s armoury. You’ve likely run into it, even if you didn’t know that is its name. It doesn’t arrive by email or social media direct message, instead choosing a route directly aimed at what may be your most personal device: the mobile phone. So, what is Smishing? We’re glad you asked.
Smishing is a combination of the words “phishing” and “SMS”, to indicate phishing sent across your mobile network in the form of a text. It’s often thought of as the latest scam on the block, but it’s been popular for a few years now. The Pandemic combined with a rise in home deliveries has only increased its popularity still further.
It’s a fake message sent to mobile devices, using social engineering to encourage the recipient to click a link. The difference between Smishing and Vishing, is that Vishing is fraudulent voice messages as opposed to text and links.
Common Smish attempts focus on everyday needs or requirements. Late payments, missed deliveries, bank notifications, fines, and urgent notices are prime vehicles for a smishing attack.
COVID-19 has ensured that bogus vaccination messaging is also a common Smishing technique.
Most smishing text messages attempt to direct victims to fake login screens, with the possibility of asking for payment details further on. They may use URL shortening services in an attempt to conceal overtly fake login links. Potential victims may have never seen a Smish before, and so assume anything sent via SMS is legitimate. It may also be more difficult to view the full URL on a mobile browser, which is to the phisher’s advantage.
Offering fake discounts on bills is a popular method of smishing attack. The drawback here is that these messages aren’t typically targeted. As a result, large numbers of people without the relevant accounts will simply disregard the message. This isn’t necessarily a problem for the smisher, however. These messages are sent in bulk, and the scammer expects a small number of responses from casting a wide net. The combined ill-gotten gains from the people who do fall for it, likely more than makes up for initial outlay.
Late / delayed parcels are a huge prospect for Smishers. If you wanted to define Smishing, this would be the current-day quintessential Smish attack. With so many people at home, and so many daily purchases made online, we’re awash with cardboard. It’s very difficult to keep track of everything coming into the house. Combining well-known delivery services with fake “delivery fee” notifications is a recipe for Smishing success.
In both examples, you can see the potential for success. Pinning these two attacks around what people can gain (or indeed, lose) gives them added credibility by playing on the hopes and fears of victims.
The reality of this situation is, nobody can stop Smishing 100%. However, we can certainly take some steps to significantly reduce it:
It’s not just phone owners doing their bit to tackle Smishing. Organisations have been taking steps to lock this threat down for some time now. Last year, the SMS SenderID Protection Registry gave companies the ability to register and protect message headers. We have Attorney Generals warning of the dangers, and the sheer saturation by fake Royal Mail delivery fee messages has made the issue go mainstream in the UK. We can only hope Smishing’s sudden rise to fame during the pandemic leads to an equally speedy demise.
For the time being, keep a watchful eye on those text messages and treat them with the same suspicion you’d give to a random missive in your email inbox.
October 27, 2021 – We look at a small batch of Steam scam messages, focused on offering potential victims “free” knife and bayonet skins.
October 8, 2021 – We look at some Discord scams doing the rounds, and also provide some tips to help you avoid losing your account.
Malwarebytes news | Scams
August 11, 2021 – We look at a small flourishing of QR code scams, and cast an eye over some of the most interesting QR-related attacks of 2021.
July 28, 2021 – We look at a history of malware, hacks, phishes, bogus mobile apps, and more targeting the Olympic Games going back to 1996
Social engineering
July 19, 2021 – We take a look at a spam mail promising untold riches from a cryptocurrency transfer which will only lead to financial disaster.

Silouette of person

Threat Center

Book with bookmark

Suspicious person

Write for Labs

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
© All Rights Reserved
Select your language
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.


Article Categories:

Leave a Reply