Smishing is a criminal attack that relies on mobile text messages to trick people into downloading malware, sharing sensitive information, or sending money to cyber criminals. The term “Smishing” was birthed after combining the words SMS and phishing.
In cybersecurity, Phishing is a cyber scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware.
Based on Proofpoint’s 2021 report 76 percent of organizations experienced Smishing attacks in 2022. Today, almost everyone has a cell phone in their hands. This means accessing victims via SMS is a popular tactic by cybercriminals. Indeed, an SMS app comes preinstalled on all phones.
How Smishing Attacks Work
Nowadays, people are also used to banks and brands contacting them over SMS with the messages having shortened URLs. Often, these are promotional messages with lucrative offers resulting in high Click Through Rates.
Smishing attacks often entail criminals posing as trusted organizations. Usually, they send messages purporting to be government institutions or big companies eg. loan institutions. In Kenya for example, most cybercriminals pose as Safaricom representatives. This has even led to the telco partnering officially with the Directorate of Criminal Investigations (DCI) to trey and curb the vice. Others pretend to be from one of the popular mobile loan apps.
As most people trust government bodies or big corporations, they are bound to click on the link sent as part of a text message. The link often leads to a fake page that resembles the official site. In some instances, unsuspecting individuals go ahead and fill in the requested private information.
The private data shared by people often compromises their mobile phones, bank accounts, digital payment platforms or credit/debit cards. For instance, scammers may use your data to buy items online using your card details. They may also use the information to transfer funds from say your PayPal account to other accounts.
Additionally, Smishing is common among hackers who sell personal data. The sale of people’s personal data is usually to the highest bidder. This exposes your data to even more bad actors that may use it maliciously.
How to Spot SMS Scammers?
In a country like Kenya social engineering attackers still prefer phone calls to dupe individuals. These have been dubbed “Kamiti Calls”. Kamiti is the largest maximum prison in Kenya known to be a hotspot for such scams.
However, in recent years efforts by Safaricom to deregister known scammers’ numbers via the USSD *333# are bearing fruit. Additionally, there are apps e.g., Truecaller, that authenticate phone calls leading to calls on mobile phones bearing the label “scam likely” or “spam likely” when suspicious numbers call. Furthermore, the recent SIM card registration and verification exercise has helped curb the vice.
First, anytime you receive an SMS from an unknown number, never click the link. Secondly, government bodies, NGO’s and reputable organizations send text messages that bear their official brand name. If an unbranded number claims to be from an organization, avoid it like plague.
Third, be wary of any SMS requesting for personal information. Even if this is from an officially branded text message, get in touch first with the organization to confirm the intentions of the process.
Remember, even in governments and reputable organizations, there are bad actors.
Also, take advantage of your phone’s security settings to protect yourself from Smishing. Most phone models offer a feature that allows you to block or filter unknown senders so that you’re shielded from the start. Look up your phone model’s security features and implement them. Use apps like google messaging app that automatically filter suspicious messages to the spam folder
Finally, once you suspect a text, do not make any contact. Do not do this via text or call. A cybercriminal may just be trying to see if the phone number is active. If they confirm this, they, may contact you in the future and could find you in a vulnerable state.