What is smishing and how do you protect yourself?



In the growing list of ways threat actors are trying to access and steal data and information, we want to take a minute to talk about attacks that happen on a device most of us carry around all day. Cell phones are increasingly targeted for phishing attacks via SMS (text messaging), also known as "smishing." Why?


First of all, we’ve come to trust our smartphones as the device that solves a lot of our problems, like googling an actor we can’t remember the name of, or makes everything so convenient, like replying to an email while on the go. By targeting a device we trust (whether subconsciously or not), the attacks are often more successful because we let our guard down. Secondly, because they’ve become almost as unique and valuable as social security numbers, cell phone numbers are highly sought after info in a data breach.


The attacks happen for different reasons and use different techniques. The following is a list of just a few examples methods and contexts they come in:

 

  • Unsolicited text messages from banks, service providers, and superiors.
  • Most play upon some sense of fear, such as account cancellation, someone stealing money from your bank, being accused of a crime or wrongdoing, or harm to your family.
  • Often, they will impose a sense of urgency to illicit a response.
  • They will request that you text back or go to a link to fix or activate something.
  • Anyone with an email address can send you a text message. All mobile providers have an email-to-text conversion address.
  • There are many web/app-based free text messaging services that require no verification of identity to use.
  • SMS is a major form of 2-factor authentication for applications; therefore, it’s a target.

 

So, how do they obtain your mobile number? There are quite a few ways that you might not even think of because they’re so engrained in our everyday lives.


1. Many rewards programs utilize your cell phone number as your identity. Retailers with brick-and-mortar stores will ask for your phone number when you check out, and anyone nearby can hear it.

2. Most businesspeople list their cell phone number on their business cards, email signatures, and presentations they give.

3. We use our cell phone number at many publicly accessible locations, such as pizza shops, restaurants, doctors’ offices, hairdressers, and grocery stores.

 

What can you do to protect yourself? Generally, you should avoid interacting with the message’s content or sender, but here are some specific actions.


  • Do not rush to action; take your time evaluating a text.
  • Do not reply to any texts that are unsolicited.
  • Do not click on links from unsolicited texts.
  • Report the suspicious number to your cell phone provider.
  • Delete the message to avoid inadvertent responses.


It's important to make sure your colleagues are educated about these risks and the protective measures they can take. We suggest sending this post to them or setting up a seminar in your office with ACC's cybersecurity experts.