By Eddy Berry, Security Research Analyst, TraceSecurity
No matter what sort of device you use to connect to the Internet, you can always assume that a bad actor may try to hack it. It doesn’t matter if it’s a PC, a mobile phone, or a laptop – it can be compromised if you’re not too careful. There are multiple ways that a hacker can get in, but it’s usually a method of social engineering. In the case of a mobile device, it could be smishing.
The many forms of social engineering can be concerning, but they should all be treated the same way. If something seems off about a message you receive, it’s probably not something you should interact with. Mobile phones can be hacked just like a PC or laptop can, so it’s always important to remember not to click on any strange links or reply to weird messages.
What is Smishing?
Smishing is a form of social engineering that uses a Short Message Service (SMS), or texting on your mobile device, in order to steal information from you. A bad actor will send you a seemingly real text message, posing as an official or employee requesting some sort of call to action. This may be a delivery, an IT request, or even a delinquent payment of some sort.
They will try to get you to send them sensitive information like a password or account number. They can also send dangerous links through the text messages, leading to malicious websites that can try to install damaging scripts to your device. Like all phishing scams, you should never interact with a text message from a person or entity that you don’t know. No company will ever try to get sensitive information over a text or phone call.
How to Recognize Smishing
Smishing attacks can take the form of any sort of text message. Some are more common than others, but they will pose as some sort of official representative to try to get information. Some common impersonations are:
- Bank or Credit Union Representative
- Government Worker
- IT Professional
- Shipping Services (USPS, FedEx, UPS)
- Payment Services (Tolls, Delinquent Payments, Invoices)
These text messages will usually have some sort of call to action. For example, if it’s a “shipping service” contacting you, you might receive a text saying that you have a late package or that there was a missed delivery. They will say that you are required to click a link or respond to allow the package to go through.
Unless you sign up or ask for this sort of text, you will never get one from any of these businesses. It can seem a bit worrisome to get a notice of a missed package or an impending fine, but if you weren’t expecting it, it’s likely a smishing scam. Even if it is a service that you use, never click a link from a number you don’t know.
The most important thing to keep in mind when dealing with unknown messages is that no company or official entity will ask you for personal information through text. This includes login names, passwords, account numbers, and other sensitive information like that. Text messages aren’t very secure in the first place, so be sure to call or verify with the company or business in another manner, like a phone call or in-person visit. It’s dangerous to respond to these messages, even if you know it’s a scam – the bad actor will know that the phone line is active with your response. This could put you on their list for future attacks.
Smishing is becoming more and more common alongside other social engineering attacks like phishing and vishing. A smishing text usually comes in the form of a financial entity, a government professional, a coworker, or even a shipping or payment service. They will have some sort of call to action, saying that you haven’t paid a fine or haven’t been able to receive a package. Never interact with these text messages.
These businesses will never ask for your personal information over text. SMS systems aren’t completely secure on mobile devices, so be sure to exercise caution when trying to do business over them. Regardless of what messages that you receive, always trust your gut – if something feels weird or off about it, it’s probably a social engineering attack.
Connect with TraceSecurity to learn more.
