SMS (Smishing) Attacks

SMS scams, also known as smishing, involve fraudulent attempts to deceive individuals through text messages. Scammers use various tactics, such as posing as legitimate entities, to trick recipients into disclosing personal information, clicking on malicious links, or making unauthorized payments. These text messages often impersonate legitimate sources, such as banks, government agencies, or reputable companies, to gain the recipient's trust.  Many of the characteristics of phishing attacks will appear in smishing attacks. Smishing attacks can take various forms and may involve multiple tactics, including:
young black woman looking at her phone

  • Spoofing: Attackers forge the sender's phone number to make it appear that the message comes from a trusted source.  Scammers may choose country and area codes that appear familiar or less likely to raise suspicion among the recipients. This could include numbers associated with well-known businesses or services.
  • Deceptive Content: Smishing messages typically contain urgent or enticing content to provoke an immediate response. This may include fake invoices, security alerts, or offers.
  • Malicious Links: Smishers include links that lead to fake websites that mimic legitimate ones. These sites capture login credentials or install malware on the victim's device.
  • Attachments: Some smishing messages contain malicious attachments, such as infected documents or executable files, which can compromise the recipient's system.
  • Cybercriminals are utilizing AI to create highly persuasive and personalized smishing content. This poses an increased risk, especially during the holidays when online activities peak.
  • Unexpected text messages from unknown numbers or entities may be a sign of a smishing attempt.
  • Messages that create a sense of urgency, pressure you to act quickly, or threaten consequences for not complying are common.
  • Requests for sensitive information, such as passwords or financial details, via text messages should raise suspicion.
  • Examine the sender's phone number carefully. 
  • Be cautious of urgent or threatening language. Verify the message's legitimacy by contacting the supposed sender through official and separate channels. Look for misspelled domain names or suspicious variations.
  • Smishing messages often use generic greetings, such as "Dear User," instead of your actual name.
  • Don't open attachments from unknown or unverified sources. Verify the sender's legitimacy before opening any files.
  • Double-check the sender's information and be cautious of unsolicited messages, especially those that request personal or financial details.
  • Avoid clicking on links or downloading attachments from unknown or suspicious messages.
  • Install reputable security software on your mobile device to detect and prevent smishing attempts.
  • Enable two-factor authentication for your accounts to add an extra layer of security.
  • Provide cybersecurity awareness training to recognize smishing attempts.
  • Independently verify any unusual requests for sensitive information or fund transfers, especially if received via SMS.
  • Encourage the use of unique passwords for all online accounts and consider using a password manager. See  Cyber Crime Prevention for more information.
  • Implement Multifactor Authentication (MFA) wherever possible to add an extra layer of security.
  • Regularly update operating systems, browsers, and antivirus software to patch known vulnerabilities.
  • Remove your phone numbers from websites because attackers will harvest them and use the website context to craft tempting smishing lures.
  • If you receive a suspicious message, do not respond or provide personal information.
  • Delete the smishing message to prevent accidental interaction with malicious content.
  • Immediately change passwords for compromised accounts and enable MFA if available.
  • Forward suspicious texts to 7726 (SPAM) to alert your carrier. 
  • Report the smishing incident to your mobile carrier, your organization's IT or security team (if the device belongs to them), and the proper authorities

References:

  1. Better Business Bureau (BBB). (2023). Smishing Alerts. Retrieved from https://www.bbb.org/us/news?search=smishing.
  2. Consumer Reports. (2023). Smishing: A Silly Word for a Serious Fraud Risk. Retrieved from https://www.consumerreports.org/money/scams-fraud/smishing-a-silly-word-for-a-serious-fraud-risk-a8541743941/.
  3. Cybersecurity & Infrastructure Security Agency (CISA). (2021). Avoiding Social Engineering and Phishing Attacks. Retrieved from https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks.
  4. Cybersecurity & Infrastructure Security Agency (CISA). (2011). Cyber Threats to Mobile Phones Retrieved from https://www.cisa.gov/sites/default/files/publications/cyber_threats_to_mobile_phones.pdf.
  5. Federal Trade Commission (FTC). (2022). How to Recognize and Report Spam Text Messages. Retrieved from https://www.consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages.
  6. Krebs, B. (2025 January 16). Chinese Innovations Spawn Wave of Toll Phishing Via SMS. Retrieved from https://krebsonsecurity.com/2025/01/chinese-innovations-spawn-wave-of-toll-phishing-via-sms/
  7. Ogino, K. (2024, March 7). New Python-Based Snake Info Stealer Spreading Through Facebook Messages. The Hacker News. Retrieved from https://thehackernews.com/2024/03/new-python-based-snake-info-stealer.html.