Understanding smishing | Examples | Defending against smishing attacks

smishing attacks with examples

Understanding smishing | Examples | Defending against smishing attacks

  Cyvatar | 06/06/2022

In this article, we are going to learn beyond smishing’s meaning and its definition.

What is a phishing text message aka Smishing?

Smishing is a form of cyberattack where hackers use SMS text messages to steal sensitive information from users. Sensitive information can be your usernames and passwords, bank accounts, and credit card numbers.

An example of how smishing works is when a cybercriminal or hacker embeds a short URL into a text message that leads to a malicious site. An unsuspecting user would be invited to click on the link and be trapped.

Smishing is a part of a trio of cyber attacks, the other two methods being vishing and phishing.

Phishing scams are pretty infamous and utilize social engineering to trap users. Phishing pertains to attacks via emails to authorities, employees, and users surrounding a corporate environment.

Vishing, on the other hand, is done via VoIP technology. Here the cybercriminal will pretend to be an authority figure from, let’s say, your bank to convince you to provide your account information and then extract money from your account.

Smishing uses the SMS and text messaging technology available on mobile phones. While all three methods may be different, the end goal is to allow cybercriminals to illegally profit or benefit from your sensitive information or data about your organization or employer.

How does a smishing attack occur?

Smishers have a variety of tricks up their sleeve in order to gain access to your sensitive information. These cybercriminals can use many public online tools to gain basic information about the user and then create a compelling SMS that looks like a trusted source.

The smisher may address you directly using your name and location. These specific details reinforce the message’s perceived credibility. The message then displays a link to a server controlled by the attacker.

The link could take you to a credential phishing site or malware designed to compromise your phone. The malware can then be used to intercept the user’s smartphone data or to send sensitive data to an attacker-controlled server silently.

Just like phishing scams, smishing also takes advantage of social engineering. The smisher/cybercriminal can sometimes call and pretend to be an authority figure, asking the user to disclose information or persuade them to open a link in an upcoming message.

A user falling for the claims made by the smisher will open the link and be exposed to malware and a cyber attack.

While most mobile devices have inbuilt security systems and antivirus/antimalware software, they do not offer any protection for attacks that have been accepted willingly by the user, which in this case is opening a malicious URL in a text message or SMS.

Smishing attacks also tend to use known brands or brands/apps that the user utilizes or is associated with; here are some examples of how a smishing attack uses brands to trick users:

examples of smishing attacks using brand names to trick users

The different kinds of smishing attacks

As mentioned above, smishing involves a bit of social engineering utilized by the cybercriminal. These attackers will utilize creative methods to convince you that their message is legitimate and goad you to click on the link… and repent!

So here are the most obvious messaging types they impersonate in order to get access to your finances and data.

1. Problem/Issue with the user’s Credit Card/Bank account

Messages on behalf of a user’s financial institution stating that a suspicious transaction has been discovered or that their account or credit card has been blocked are a common type of smishing.

The person is instructed to click on a link to confirm their identity in order for the problem to be resolved or the account or credit card to be unlocked.

2. Suspicious Activity Alert

Many companies now send a notification if an account is accessed from a different device or a different location. This helps users keep safe.

Smishing attacks mimic the technique by sending alerts with suspicious links to the victim, allowing them to determine where the access came from. SMS is also frequently disguised as two-factor authentication, requiring the victim to click on a link before access is granted.

3. Participation in a user survey

Not many people actively enjoy filling out surveys. As a result, in order to persuade the victim to click on the link, smishers design messages that frequently offer a prize. These invitations may include phony surveys to rate a large retailer’s service or product, duping the user.

4. Winning a lottery/prize

This should be a no-brainer. SMS that state that the user has won a lottery they didn’t even participate in, a brand new car, or winning a random lucky draw are always suspected to be a smishing attempt.

While most people don’t fall for these messages, some will still be intrigued and click the link, leaving themselves vulnerable to an attack.

5. Covid-19 messaging

This is the latest method of spreading a virus through text message/ malware attempts. Messaging that claims to provide information about the pandemic but needs to be accessed via downloading an APK (for Android) or opening a link should not be entertained.

Cybercriminals use the tactic of fear to make unsuspecting users click on smishing links. Keep in mind that no organization requires you to download an app via text or sends text messages with links to provide vital information.

How to defend yourself against a smishing attempt

According to a report by Proofpoint, in the year 2020 alone, there was a reported 328% increase in smishing attacks. Their report also mentioned that 84% of organizations were subject to smishing attacks. Coincidentally, the FBI reported that the combination of phishing, smishing, and vishing attacks led to $3.5 billion loss in 2020 alone.

Because of the social engineering aspect of these attacks, they can be difficult to defend against.

But all hope isn’t lost, for these attacks and their ramifications can be negated by simply not falling for the bait.

Here are a few pointers you can follow to protect yourself from smishing attempts:

  • Any urgent alerts that state your response needs to be immediate should be suspected as a smishing attempt.

    Also, any extremely limited time offers that claim to be now or never should also be considered as a smishing attempt.
  • Remember that no bank or financial institution will ever ask you for your account number or details. Neither do they ask to update your information via a link on an SMS.

    Another example would be a request to change your ATM PIN. If you ever come across a message claiming to be from your banking institution and expecting you to click or open a link, it’s a fraud.

    Contact your bank directly if you have any doubts before clicking any link you find in an SMS.
  • Never click, reply, or open a link to a message from a contact you do not recognize.

Such random messages could lead to texting attacks and hence, must be avoided

  • You can easily spot smishing text by looking at their contact number. If it has something fishy like a number ending with ‘5000’, it’s most likely an imposter trying to make a smishing attack.

    This is because numbers like these are usually linked to email or text services, a method scam artists regularly use without using an actual phone number.
  • One preventive measure would be to not store any of your credit card information on your smartphone. No one can steal your credit card information if it isn’t there in the first place, right?
  • Report any and every smishing attempt you see to the FCC. The fewer there are, the better it is for everyone!
  • Never download any applications on your phone from unknown sources, websites, or links from messages. Always use the app store provided by your mobile device to get verified and install safe apps.

Recovering from a Smishing attack

If you have recently been compromised by a smishing attack, there are a few steps you must take to mitigate the damage:

  • In the case of a compromise on your corporate phone that has been provided by your organization, immediately approach and notify your IT and cyber security team.
With Cyvatar’s Cybersecurity Prevention plan, you have a proactive cybersecurity team and a preventive security solution.

Cybersecurity teams will have a backup of the data internally and will do a complete data wipe on your phone to ensure that a recurring attack cannot occur.

The cybersecurity team will also guide you through the next course of action and provide you with better recovery options in the future.

  • The next important step would be to block the number where the smishing attempt came from to ensure that the cybercriminal cannot resurface.

    You must also report unsolicited messages on your phone to the FTC. The Federal Trade Commission has an online complaint page to register for the same.
FTC online complaint assistant
Register your complaint online
  • Lastly, if you are a victim of a credit card or bank account fraud, immediately contact your financial institution to have your account blocked before any more damages and money siphoning can occur.

What is the latest variant of Smishing in cybersecurity?

Almost every industry has been impacted by the COVID-19 pandemic, but that hasn’t stopped cybercriminals from thinking of new ways to develop text message link viruses and malware.

One such rampant case of smishing malware was Flubot, which affected millions of users in Australian households.

FluBot: The Text Message Malware

The pandemic affected the way of life of most individuals all over the world, but it actually benefited the e-commerce and online delivery industries.

So it should have been evident that cybercriminals would attempt to use that to their advantage.

FluBot, also known as Cabassous, is a trojan malware app capable of intercepting SMS and messages, banking information, private credentials, and even presenting fake display overlays to trick users into providing their information.

Per an alert issued by NCSI-FI, there were some 70,000 SMS messages sent by attackers in 24 hours targeting Android users with FluBot malware.

smishing messages example
SMS messages with links to FluBot malware

What makes FluBot even scarier, though, is the fact that cybercriminals took advantage of the recent Facebook user data leak (where the details of over 500 million accounts were leaked) and engineered messages laced with FluBot based on the kind of phone, demographic, and location data that was compromised.

For example, instead of receiving the usual malicious text message, Android users received a prompt to download an APK to track the delivery of one of their couriers.

iOS users would receive links to banking institutions related to the user and would inject the text message malware that way.

If you ever see any message or pop up with the messaging FOLLOW THE JOURNEY : DOWNLOAD FEDEX APP (or your preferred courier app) it is most likely to be a FluBot smishing attempt.

What made FluBot very dangerous was its use of Domain Generated Algorithm. This algorithm has the ability to create different variations of the domain, which is known as a technique called “domain fluxing”.

Domain fluxing allows this malware to stealthily control its server IP address over endless lists of dummy domains.

There are many ways to get rid of FluBot, but the first step to take is to factory reset your phone and change your credentials for your accounts on a desktop computer or another device.

Protect your organization from smishing attacks with affordable and flexible cybersecurity solutions

Cyvatar’s affordable cybersecurity helps organizations of all sizes stay secure from unprecedented cyber threats.

Check out the pricing plan and get started with our forever Free Freemium plan.

Need help? Say hello to cybersecurity experts.

Circa Las Vegas

Thurs. Aug 5th

Cybersecurity Reunion Pool Party at BlackHat 2021