Over the last couple of years, smishing attacks centered around the Covid-19 pandemic and financial relief for those affected have become super prevalent. Most of us have been on the receiving end of at least one smishing attack, even if we weren’t aware of it.
What is smishing?
Smishing attacks are phishing attempts by hackers which use short message service (SMS) or social media messengers to convince people to give up their financial or login information. They often contain malicious links to sites that steal your data or install malware on your phone if opened.
Smishing has become increasingly common because people are much more trusting of text messages than they are of emails. As a small business owner, you or an employee may become a target of such an attack. Read on to learn the objectives of these attacks, the different types of smishing attacks, how to tell scam texts from legitimate ones, and what to do if you fall for a smishing attempt.
Scam Texts – What They Look Like and Why Cybercriminals Send Them
What Scammers Can Get From You Via Text Message
The number one target of smishing attempts is your financial details. That could be your credit/debit card information, account numbers, or the username and password of your online banking app.
If the hackers aren’t angling for your financial information, they’re likely hunting for private information. These things aren’t a matter of public record but are key to stealing someone’s identity and impersonating them to banks and businesses. Think about the security questions you have with your bank, health insurance, etc. Those are extremely valuable answers!
Last, but certainly not least, the attacker may be looking to compromise your login information for various apps. Whether it’s social media, your game center account, or an application you use for work, cybercriminals can find ways to make money off of them all.
How Scammers Trick You Into Giving Up Data Via Smishing
Both phishing and smishing are scams that rely on social engineering in order to be successful. The key components of a social engineering attack are:
- Emotion– Attackers create a sense of urgency, utilizing powerful emotions like shame or fear to motivate their victims. This could look like a message with a video link that says “OMG is this you?” where the attached URL resembles that of an adult website.
- Trust – The hackers will often pose as friends, family, or colleagues of the target. Facebook has become especially rife with these types of attacks, where abandoned accounts are duplicated, with friend requests going to the friends of the original account. They then ask for money or share a link to a social help program, but the application link is malicious.
- Context – Scam artists keep up with current events and use them to their advantage. Things like the global pandemic or a natural disaster in your area are prime examples of context that can lower a person’s defenses by feeling authentic.
Common Smishing Attacks
Social Program Scams
These attacks mimic aid programs designed by local or state governments, non-profits, healthcare, or financial organizations. The Covid-19 pandemic kicked off a wave of such scams, but they also often follow natural disasters or local tragedies. These schemes manipulate you via your health or financial insecurities.
Look out for texts about contact tracing that asks for sensitive information that isn’t relevant, tax-based financial relief like stimulus checks that you have to apply for (your tax return is your application for legitimate stimulus checks), public health safety updates that you have to sign up for, or urgent requests to complete the U.S. census or local surveys.
Order Confirmation/Invoice Schemes
Most online shops have text message confirmation notifications now. These scams take advantage of those legitimate texts to provide a false confirmation of a recent purchase/invoice to you.
Whether you’re a serial online shopper who forgets what they order, or a smart shopper who might be worried about unauthorized purchases, you open the link and BAM! The scammers have made off with your login information or installed malware on your phone before you know it.
If you receive unexpected order confirmation texts, don’t open the link within. Go to the app that the text says it’s from and look at your purchase history there.
Customer Support/Financial Institution Smishing
Customer support scammers pretend to work for companies and banks you know and trust, and claim to be reaching out to help solve an issue with your account. They’ll tell you the steps you need to follow to fix it, which usually includes visiting a fraudulent login page, calling a fake number, or providing a real account recovery code to reset your password.
Most often these scams claim there is an issue with billing, account access, unusual activity, or resolving a recent complaint. Once again, if you’re suspicious about a customer support text, ignore any calls to action within the text and call the company or bank’s legitimate customer support number to verify the claim.
Gift or Giveaway Scams
These schemes congratulate you for winning a big ticket item or large sum of cash from a seemingly legitimate retailer or company. The attacker is banking on your excitement at winning something overriding your common sense, so you click the link and fill out whatever information they ask for without hesitation.
Google is your best friend on this one, or any of the above types of smishing attempts. Simply search for the giveaway to see if it’s real. Most of the time you’ll immediately pull up multiple reports of a scam just like the one that you received.
Detecting and Protecting Against Smishing Attempts
The single greatest defense against smishing is knowledge. Many of the signs of a phishing email are identical signs of a smishing scam. Here are some red flags for you and your staff to look out for.
- Look for typos, grammatical errors, and misspelling. These criminals often don’t speak English primarily, so their messages may not be to the standard you’d expect from your bank or a prominent company.
- Double check the phone number of the sender. Four digit numbers are evidence of an email to text service, which is commonly used in smishing. You can check it against the legitimate number you know your bank texts you from, as well.
- Don’t respond, at all. Even texting back “STOP” can confirm that your number is active for hackers, which can subject you to further smishing attempts.
- Use multi-factor authentication on login with every app. A second verification key is an excellent obstacle for a hacker with a compromised password. And never ever send your verification code via text, as legitimate companies won’t ask for it via text.
- Don’t panic or get overly excited. If you receive a text out of the blue that makes you feel extremely good or extremely bad that calls for immediate action, don’t act. Take a breath, and examine the text carefully. Look for the other red flags on this list. You’ll probably find more than one.
- Contact the bank or company directly if a problem is claimed. Don’t use the contact information within the suspicious message! Go to the legitimate website and contact their customer service to see if there really is an issue with your account. Their agents should know if it’s a common scam and should confirm for you that your account is just fine.
- Download an anti-malware app on your phone. Any device can be infected with malware, not just computers. Smartphones are used even more than computers nowadays, but they are secured far less frequently. If your business has a comprehensive anti malware solution, you may be able to include business smartphones in that coverage!
Thorough and frequent training on smishing attacks can help to build awareness within your organization, just like with phishing detection. If you’re having trouble getting your employees to buy into a cybersecurity mindset, we have a blog post to help with that, too!
Here’s What To Do If You Think You’ve Fallen For a Smishing Attack
The scammers behind these attacks are cunning and clever, so first off, don’t feel bad. They’ve refined their technique to manipulate people, and you’re definitely not alone in being manipulated.
You can’t un-fall for this scam, but you can limit the impact of it. Here’s how!
- Change your passwords, account pins, and security questions as soon as possible. Don’t ever use the compromised one again.
- Immediately report the smishing attack to the companies involved and the authorities, especially if you experienced financial losses because of it.
- Freeze your credit to mitigate any current or future identity theft. Talk to your bank about canceling affected cards and changing account numbers as needed.
- Sign up for a monitoring service for affected accounts and finances. Watch closely for suspicious transactions or logins.
Squash Smishing Attempts
Armed with this information on detection and mitigation, you don’t have to fear smishing attacks. Spread the word about smishing attacks to your coworkers, family, and friends. Especially older folks you know, as there are plenty of attacks aimed specifically at trusting and lonely retirees.
For more information on other common cyberattacks, visit our website! Our blog Plugged In covers all kinds of threats to cybersecurity that small business owners should be aware of.