By: Bruce Whiting, Security Officer
Phishing is a term we have all become familiar with. Smishing, which has not been around as long, is the use of short messaging services (SMS) technology to phish for individuals’ sensitive personal information. The following article comes from the SOS Daily News – Cyber Security News & Information.
Smishing Is The New Phishing
Published August 24, 2017
From time to time, scammers come up with a new tactic using new technology, new events, or whatever they can to continue tricking us into giving up our personal or confidential information. Something that has come into favor in the past few years has been coined as “smishing.” Yes, it’s an odd word, but it’s descriptive and it most certainly works on some people. As long as you know what to watch for, you can take preventative action and not be their next victim.
Smishing is phishing via short message service (SMS). As you can probably guess, the word is a combination of the two primary parts of the word. The first part derives from SMS, which is a generic word for text messaging in any form. Often, these arrive via the data service on a smartphone. However, it can also be iMessage, which is the text messaging service that Apple uses or Android Messages for Android devices. There are many others and all of them can be used for smishing.
The second part of the word is from “phishing.” By now, most of us know what that means. A reminder, however, is never harmful. Phishing is a method cybercriminals use to dupe people into giving up sensitive information. Often, this is via email and includes a link or attachment that when clicked, leads someone to fill confidential information into a form or install malware that steals data off the device. Phishing can also occur via voice service (i.e. over the phone). This is called “vishing.” One common scam that uses vishing is the tech support scam, where a caller tries to convince the potential victim that they are in need of technical support and can be assisted by giving the caller a payment card number. Another is the IRS scam. The cybercriminals will call the target and pretend to be an IRS agent and threaten jail or fines for unpaid taxes. All the targeted victim needs to do is give the caller a payment card number and all will be well.
A couple of common smishing scams include the following:
- A text message arrives that appears to be from the target’s financial institution requesting that a link be clicked that will go to a website to address and resolve an issue with the account or payment card. If it’s clicked, malware is installed and email address, contact list information, and other data is stolen.
- A text message claims the user signed up for some sort of service and will be charged unless a link is clicked. The result is again malware getting installed and data stolen from the device.
- The user is sent a text claiming he or she has won a prize of some sort. Often it’s a gift card.
- A link must be clicked to claim the prize. The link directs to a website where personal information is requested, but the victim never gets the prize, of course. Instead, the information is used for spamming or efforts to steal additional information such as financial account credentials.
- The rules to prevent successful smishing are the same as for phishing, for the most part. If a message arrives unexpectedly, tries to scare you into taking quick action, or promises free or highly discounted prizes, it’s very likely a scam. While these too can appear to come from known senders, it is still best to confirm with them in another way rather than click on something in a text message. Call them, use an email message to an address you have on file, or ask in person.
There is one “issue” that usually cannot be replicated as a method of detection for smishing and that is hovering over or holding down on a link to see where it is going before clicking it. Often the links are truncated in text messages. However, intuition goes a long way and if any suspicion arises, take it seriously.