Smishing is a form of phishing attack that targets mobile devices. Instead of sending phishing content over email, smishers use SMS or MMS text messages to deliver their messages. As the use of mobile devices for business becomes more common due to remote work and bring your own device (BYOD) policies, smishing has become a growing threat to enterprise cybersecurity.

How Smishing Attack Works?

The popular conception of phishing focuses on email because email was one of the original and most common media for delivering phishing content. However, it is not the only way that phishers can achieve their goals.

Mobile device usage has grown rapidly, and these devices come with an “always on” mentality that is invaluable to phishers. While mobile devices have access to multiple communications channels (email, social media, etc.), text messages have several benefits to phishers.

A text message can carry malicious links or attachments (in the case of MMS) just like an email, enabling them to use the same techniques as phishing emails. However, text messages have some advantages over email such as their limited lengths and increased usage by brands.

For example, in an SMS message, the use of link shortening services is routine, and these services make it difficult to see the target of a link in advance. Additionally, mobile phones don’t allow users to hover over a link to view its destination. Both of these factors make phishing over SMS easier and more effective for attackers

Examples of Smishing Attacks

Like traditional email-based phishing attacks, smishing attacks use different pretexts to trick recipients into clicking on a link embedded in the message. Some common pretexts include:

  • Account Issues: Brands are increasingly using SMS messages for customer service, and users may be accustomed to receiving texts regarding issues or notifications about their accounts. Smishers may send texts claiming that an issue exists and pointing the recipient to a fake link that steals account credentials.
  • COVID-19: Current events are common pretexts for phishing attacks, and the COVID-19 pandemic provided cybercriminals with numerous opportunities. COVID-based smishing scams may ask for personal information for “contact tracing” or provide inaccurate information about stimulus checks and public safety updates that lead to phishing sites.
  • Financial Services: A smisher may pose as a financial services organization asking the recipient to verify some activity on their account. If the target responds, the smisher may attempt to steal login credentials or other personal information as part of the verification process.
  • MFA Codes: Since SMS is one of the most common methods used for multi-factor authentication (MFA), some smishing attacks are designed to steal these codes. The phisher may tell the recipient that they need to verify their identity by telling the attacker the MFA code texted to them. The attacker triggers this code by attempting to log in as the user and then gains access once the recipient provides them with the correct code.
  • Order Confirmation: Smishing messages may contain a confirmation of a fake order as well as a link to modify or cancel that order. When the recipient clicks on the link, it directs them to a fake site that steals login credentials.

These are some of the most common pretexts that smishers use in their attacks. As mobile device usage grows due to the rise of remote work and BYOD policies, these attacks are becoming more common and sophisticated.

How to Protect from Smishing Attacks

Since smishing attacks are just phishing attacks performed over a different medium, many of the same best practices apply, including:

  • Avoid Clicking Links: Links in text messages are difficult to verify due to link shortening and the inability to hover over links to see targets. Instead of clicking on links in text messages, browse directly to the target site.
  • Don’t Provide Data: Smishing attacks are commonly designed to steal sensitive data from their targets under the guise of verifying identities or other pretexts. Never provide personal data to someone that you haven’t called or texted via a number listed on their website.
  • Install Apps from App stores: Smishing attacks may be designed to trick recipients into installing malicious apps on their mobile devices. Always install apps from reputable app stores, ideally after verifying their authenticity on the creator’s website.

Never Share MFA Codes: Text messages are commonly used to transmit MFA codes for online accounts, and scammers may pretend that they sent an MFA code to verify a user’s identity. Never provide an MFA code to anyone.

Smishing Attacks Protection with Check Point

With the rise of remote and hybrid work models and BYOD device policies, mobile devices are becoming a core part of the business and mobile security is more important than ever. This makes smishing attacks a serious threat to companies as well as individuals.

Check Point and Avanan have developed an anti-phishing solution that provides protection across all attack vectors, including for smishing attacks. To learn more about protecting your company’s mobile devices against phishing with Harmony, you’re welcome to request a free demo.