Phishing in a new dimension: The rise of SMSishing

A form of social engineering, it’s a type of fraudulent activity whereby scammers lure victims into sharing personal information or downloading mobile malware via text, by claiming to be from a trusted person or organisation.

A new, more dangerous form of phishing

Email phishing, although still a very real threat, has become less common in recent years, as email service providers have enhanced their technologies to better detect and block phishing emails, and new security features such as Microsoft Password Monitor continue to be rolled out to safeguard users and enhance online security.

As a result, however, scammers have turned their attention to alternative streams, primarily text messaging, where there is currently less awareness when it comes to spotting and stopping phishing attacks.

Whilst there are some preventative technologies in the marketplace, such as Microsoft’s Advanced Threat Protection (ATP) for Android, which protects against phishing attacks and blocks attempted access to unsafe websites, SMSishing as a concept is still relatively new.

How do fraudsters do it?

Thanks to increasingly sophisticated tactics and often easy means of profitability, SMSishing is now considered the most common type of cybercrime, with incidents on the rise.

SMSishing fraudsters will often use Caller ID spoofing to display the name or number of legitimate people and organisations.

Usually, they’ll then use scare tactics or create a sense of urgency to mislead and manipulate their victims, for example “Your AppleID is due to expire today. Please click here to update your details and prevent loss of services or data” or “We have identified some unusual activity on your online banking. Please log in via [link] to secure your account” which entices the victim, encouraging them to engage with the message by clicking a link and/or submitting personal information.

Then hey presto! The fraudsters can have everything they need in a matter of minutes.

There’s also been a big rise in text scams, particularly from those claiming to be couriers such as Hermes, Royal Mail and DPD, stating the victim has missed a delivery and needs to rebook. The scammers then usually ask for personal information and card details to schedule a *fake* redelivery.

Protect yourself against SMSishing fraudsters

Like with other types of phishing, there are a few things to always bear in might, which will help prevent the likelihood of a SMSishing attack:

1. Don’t reply to text messages from people or numbers you don’t know
2. Ignore messages that come from numbers that don’t look like phone numbers
3. Don’t click on links from unknown sources
4. Be wary of unsolicited SMS messages that claim to be from reputable organisations, such as a bank
5. Exercise caution when clicking links from people you know – verify with them first that they meant to send the link
6. Never submit personal information such as your username or bank account via SMS
7. Report suspect SMSishing attempts using one of the following methods
   1. Emails can be forwarded to the Suspicious Email Reporting Service (SERS) report@phishing.gov.uk
   2. SMS Smishing text messages can be reported to your network service provider by forwarding the scam SMS to 7726
   3. Visit the ActionFraud website police.uk/report-phishing
   4. If you have provided your bank details, contact your bank immediately and advise them you were a potential victim of fraud

Managing your digital security can be time-consuming and bewildering. At Infuse, we understand the impact this can have on both businesses and individuals, and we’re here to provide you with a complete solution. To speak with one of our experts, please get in touch today.