You may have been the victim of an SMS-based phishing, or smishing, attack if you’ve ever received a text message that claimed there was a problem with one of your accounts and asked you to click on a link to resolve the issue. Smishing is one of the easiest ways for hackers to steal your data because you’re literally giving it to them.
Phishing is a type of cyber attack in which the attacker sends an email message designed to trick the victim into disclosing sensitive information or deploying malware on the victim’s computer. They often use fraudulent, or spoofed, websites to make it appear as if the email came from someone the victim has reason to trust, typically a bank or online retailer. Phishing attacks have become increasingly sophisticated, often allowing the attacker to observe the victims’ actions on the spoofed website and further compromise their security. Phishing is by far the most common type of cyber attack as of 2020, with more than twice as many attacks as any other type of computer crime, according to the FBI’s Internet Crime Complaint Centre (IC3).
Other cyber attacks are conceptually similar to phishing, although they may differ in their implementation. For example, smishing uses SMS rather than email to deliver a fraudulent message that invites the victim to perform some action such as clicking a link, sending an email reply or calling a phone number. The message also asks the victim to disclose personal information such as the security credentials for a website or online service that the victim is currently receiving. It can be particularly difficult to identify spoofed logon pages on a mobile phone since its small display size can prevent you from seeing the entire URL.
The term “smishing” was coined in 2006, but it remained a fairly obscure form of attack compared to phishing until 2020. Proofpoint reports that smishing attacks increased by 328 percent in mid-2020, largely as a result of the COVID-19 pandemic. Government agencies began sending SMS messages on a large scale to provide COVID-related information such as contact tracing, lockdowns and vaccination options. This response to the pandemic created an ideal environment for smishing, since many people now had a strong incentive to read SMS messages and follow their instructions. NextCaller reports that 44 percent of Americans experienced an increase in the scam text messages during the first two weeks of the nationwide quarantine.
The IC3 reports that over 240,000 people were victims of phishing and related attacks in 2020. The reported losses from these attacks over $54 million, as compared only $7 million in losses from malware such as viruses. The European Payments Council reports that the total losses from phishing type attacks in the European Union (EU) were $26 billion between June 2016 and July 2019.
Government agencies and private businesses are currently scrambling to keep up with the millions of smishing messages that hackers send on a daily basis. However, mobile users have many options for protecting themselves from these attacks.
The effectiveness of smishing attacks is largely due to the fact that mobile users are accustomed to receiving legitimate text messages, many of which inform the recipient of suspicious account activity. It’s therefore critical to verify the sender of these messages before taking any action through SMS. For example, if you receive a message purporting to be from your bank, you should always contact your bank directly to ensure they sent you the message before following any of its instructions.
To protect your company against a social engineering attack, your employees need to know what to watch out for. Xantrion offers a proven social engineering awareness and training program designed for small and midsized businesses. Contact us today to get started.