Smishing: the newest and most effective form of cyberattack

Smartphone virus malware trojan notification or alert. Hacker attack, Mobile security vector concept.

Smishing is the newest and most effective form of cyberattack being reported by Managed IT Services companies. Attacks from hackers via SMS has been dubbed ‘Smishing’, which combines the phrases ‘SMS’ and ‘phishing’. Traditionally, phishing scams have been conducted via email. This may include emails purporting to be a trusted business or establishment. It could also be phoney password reset emails or even extortive phishing emails that employ blackmail to scare the victim. However, most people have become savvy with their emails and can now identify the characteristics of a phishing email. With this in mind, hackers have now moved to SMS phishing attacks which have proven to be incredibly successful.

Let’s look into what smishing is, how to spot a smishing text and what to do when you receive one.

What is smishing?

As previously stated, smishing is the combination of SMS and phishing. Phishing relies on human engineering rather than technical exploits like other types of hacks. This includes methods such as brute force, software exploits etc. Phishing worked successfully over email for a number of years using a range of different methods and guises (read more here). However, in the face of cyber attacks lurking on every corner, users have become savvy to email phishing’s conventional traits.

Realising that email was becoming an increasingly untrustworthy source for users, hackers moved to attacking via SMS. Users are more likely to trust a phone number they pay for than an email service that is free. Under this guise, hackers have begun phishing people via text.

Types of smishing texts may include:

Texts from your bank alerting you that your account has been hacked/accessed.
Messages purporting to be a shipping service such as AusPost claiming that your parcel has been held by at a depot.
Texts purporting to be a reputable organisation, such as Amazon.
Texts purporting to be from the Government – just recently, a smishing attack has been impersonating Medicare. The text alerts you that you have been in contact with someone with Omicron and to order a free PCR test through a malicious, fraudulent link.

How to spot a smishing text

These types of attacks can be orchestrated by anyone, no matter how tech savvy. Because of this, phishing and smishing can’t be stopped. Instead, it is up to us being aware of the traits of these attacks in order to not fall victim. Traits of a cyber attack are constantly changing but there are some general, unchanging giveaways. The characteristics of a smishing text will be similar to that of a phishing email:

The text uses unusually strange and threatening language – you can be quite sure that the tax office, the government or an institution like PayPal would not be threatening you in a message. This is generally a major red flag.
The text contains a link – if the dodgy message is threatening and or has any of these other traits as well as a link, it is best practice to not click it. You can directly ring the establishment the message purports to be from to be absolutely sure it came from them.
The text contains poor spelling and grammar – this is always a tell-tale sign of a fraudulent text. The message is riddled with poor spelling and grammar meaning it is highly unlikely to have come from a reputable sender.
The text comes from a brand/institution you’re familiar with – hackers will always purport to be a brand or an institution that you are familiar with. This is a form of social engineering, a tactic employed by hackers to lull you into a false sense of security. This is because you are seemingly dealing with a brand or company that you are familiar with and therefore, more likely to trust.
Asking for personal and/or sensitive information – a brand/institution will NEVER ask you to disclose sensitive information via messages.

A recent example of a fraudulent smishing text circulating.

So, what do you do when you’ve identified the message might be a smishing text?

Now you can identify a smishing text, what should you do if you think you’ve received one?

Do not open any links in the message – be sure to never click a link in a text from an unknown number or suspicious sender. If the text is purporting to be Medicare for example, it is always best to call them directly and check if that was them sending the link.
Do not reply back to the number or engage with the sender in any way
Delete the message
If you’re unsure whether or not the text is real, it is best to forward it to your MSP or call the brand, or institution, directly and check.

Cyber attacks are consistently sophisticating in nature. Not all smishing texts have the easy-to-spot traits that traditional phishing emails do. Smishing texts can be grammatically perfect and come from a seemingly normal number. This has made smishing incredibly successful for hackers.

To find out more or get help protecting your business call Milnsbridge, Sydney’s leading IT Services Provider on 1300 300 293.