Messaging | vSMS

7 min read

SMS Phishing and Spoofing scams: how to defend your business

by | Dec 4, 2020

People of the present-era are well aware of the security risks associated with clicking on random links in emails; however, this is not the case when it comes to SMS messages.

What is SMS Phishing?

Why does SMS Phishing work?

Posing as popular organizations, or even friends, cybercriminals deploy social engineering techniques to dupe people into handing over certain sensitive information such as bank details, or login credentials. 

People who fall prey to SMS phishing attacks can have their identities stolen, bank accounts emptied, or even end up with malware installed on their mobile phones.

Classic Examples of SMS Phishing attacks

Let us see some common ways of how Smishing is carried out by the attackers so we can better understand how to prevent SMS spoofing.

SMS Phishing to extract personal details from victims

Smishers may try and convince you to provide your credentials or other confidential information that they can use to gain access to one of your accounts. Bank smishing is one of the most common types of this category of attack.

The popular UK tech website has provided a detailed explanation about a typical bank smishing attack. Attackers usually play on your fears and emotions to hack your account.

In most cases, cybercriminals will send you SMS messages claiming to be from your bank, warning you about a significant money transfer. They then provide you a number to call or a link to click to reverse this potentially unauthorized transaction. The former is a classic case of caller ID spoofing, wherein they make the number appear as though it’s a legitimate one of your bank, and the latter is classified as email spoofing.

In reality, of course, the transfer doesn’t happen; the link that is sent to you is redirected to a spoofed site that looks exactly like your bank, which asks for your login credentials and contact number and connects you to the attackers. 

These attackers will then try to extract the same sort of information out of you. After they are armed with those critical details, they can log into your bank account and plunder it.

Bank SMS Phishing: why so dangerous?

Bank smishing is mostly successful because many banks do have messaging services to notify you about any suspicious activity that happens on your account.

SMS Spoofing is another factor that can trick a victim.

What is SMS Spoofing?

Many attackers use SMS spoofing techniques that mask the contact number or the sender’s SMS number. By downloading malicious software into your system, attackers can use SMS spoofing to make their messages appear as if they are coming from your bank.

In such cases, your phone will automatically group such messages with any original message that you have already received from that bank, making them seem legitimate.

SMS Phishing to trick you into transferring money

Most often, con-artists practice this type of Smishing rather than the tech wizards. However, it is still a serious concern, particularly for people who are not tech-savvy or don’t use email and have never been exposed to such scams before.

Smishers will do their homework to figure out ways to get you to trust them; in one attack, a woman received SMS messages she thought were from her friend telling her about a government grant that she qualified for. In reality, this was a classic Nigerian scam: the victim was told to pay a few hundred dollars upfront for taxes and receive the cash.

While such scams play on the victim’s desperation, some take the opposite approach, exploiting their generosity. In another case, one set of attackers sent text messages to Louisiana victims, pretending to be a clergyman at a church, collecting funds for charity; in reality, they pocketed the money.

SMS Phishing to trick people into downloading malware

This sort of SMS Phishing attack is similar to that of email phishing, though the techniques adapted are for mobile users.

For instance, a smishing scam that went viral in the Czech Republic convinced users to download an app purporting to be from the country’s postal service; in reality, it was a trojan virus that could harvest credit card details into other applications on the phone.

These kinds of attacks are not common when conducted via SMS than via email because modern-day smartphones make it more difficult to download apps, with iPhones and Android phones only allowing signed and verified applications from app stores to operate.

However, it is still possible to sideload apps, especially on Android devices, so you should be cautious if anyone tries to force you to download an app via SMS message. You can avoid smishing attacks by simply being careful.

How To Avoid SMS Phishing Attacks

By following the aforementioned simple steps, you can avoid smishing attacks and protect your data.

Google’s Verified SMS vs Phishing

Google recently introduced Verified SMS – a new feature for android messaging apps. Through vSMS, the tech giant aims to combat the rise of spam texts. Just like how the verified badges on social media platforms indicate the trustworthiness of a business page, verified SMS brings the same verification to messaging. Google believes that with verified SMS, people can put an end to the hundreds of spam messages that they receive each day.

Even though such preventive measures are in place, none of these efforts will end spam texts. Attackers will always find new ways to reach mobile users. 

The menace of SMS Phishing

Smishing is getting more dangerous with the growing popularity of mobile banking. People use their smartphones for almost everything. If you carry out financial transactions on your mobile phone, a lot of sensitive information is at risk, if it is exposed to malware or spyware.

Prioritize SMS scam protection by being extra cautious about your activities on phone and computer. Educate your family and friends about what is SMS spoofing, caller ID spoofing, email spoofing, and SMS phishing attacks. 

Until there are improved security measures for mobile devices, it is best to stay away from suspicious-looking messages.



Content Specialist at Kaleyra