Defining Smishing

Hello. And welcome to Section 1.4 of the Attacks course, Smishing. I’m Lisa Gilbert, and I will be sharing a lot of helpful information so you can understand this type of attack and defend against it. In our discussion of smishing, I will first define smishing and why it is important to understand and prevent. Next, I will discuss what attackers are trying to accomplish. Then I will explain exactly who is at risk and explore the red flags and warning signs that an attack is taking place. We will also explore some of the tactics used by attackers, and I will share several real life examples. Lastly, I will describe how you can protect yourself and your organization from smishing attacks.

Before we can discuss smishing, we need to understand what it is. Smishing is yet another form or phishing. It is the fraudulent practise of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers. The term smishing is a combination of the acronym SMS, short message services, better known as texting, and phishing, about which you have already learned. Like most cyber criminals, smishers are attempting to steal your personal information, which they can then use to steal money. Usually, yours, but sometimes also your company’s. Attackers use two methods to steal this data. They might trick you into downloading malware that installs itself on your phone.

This malware might masquerade as a legitimate app, tricking you into typing in confidential information and sending this data to the attackers. On the other hand, the link in the smishing message might take you to a fake site, where you’re asked to enter sensitive personal information that the attackers can then use to steal additional information. As more and more people use their personal smartphones for work, a trend called BYOD, or bring your own device, smishing is becoming a business threat as well as a consumer threat. Smishing can be especially effective because people may be more likely to trust a text message than an email.

Most people have become aware of the security risks involved with clicking links in emails, but they are less aware that clicking links in text messages is equally risky. So who is at risk for a smishing attack? Anyone who uses a mobile telephone and has the ability to receive text messages or instant messages is at risk for a smishing attack. In addition, a company that allows employees to use their own devices for business purposes is also at risk of having their information compromised. Smishing uses elements of social engineering to convince you to share personal information. We’ll talk about some of these social engineering attacks later in this course. This tactic leverages your trust in order to obtain your information.

The information that the smisher is looking for may be anything from an online password, to your social security number, to your credit card information. Once the attacker has that, they can start applying for new credit in your name. Another tactic used by smishers is to say that if you don’t click a link and enter your personal information, you will be charged per day for use of some service. If you haven’t signed up for the service, then you can ignore the message.