One very common attack against you, your company and your family is phishing attacks happening through text messages sometimes referred to as Smishing (SMS phishing). Many people’s defense goes down the toilet when using their mobile phone. Some people who typically would question a malicious looking link sent over email won’t use the same logic when they receive a link over a text message. Phones seems like a safe media but that is actually not the case. Phones are computers. Computers can be compromised.
The truth is that your phone very likely contains MORE sensitive data than your computer. Think about features allowing you to purchase things without your credit card. Consider all of the applications you have that can automatically access your social media and bank accounts as well as make changes on your behalf. If an adversary gains control of your mobile device, they can become you. That makes mobile phones a higher valued target than your computer.
Smishing continues to be super effective. The trick is it heavily plays into people’s emotions. The expected reaction is the victim will go “wait that’s not right …. I need to click this now”. Example common mobile phishing messages include the following:
- A delivery attempt was made. Please confirm a new delivery time by clicking here. Your package will be returned on X/XX/XX without an updated delivery date.
- Your package will be suspended. Unable to deliver until address is updated. SDFSDD_LINK_SDFDSD
- You have a voice mail waiting. Your voicemail will be available for 10 days. SDFSDD_LINK_SDFDSD
- You have been selected for the drawling for $250 dollars. Claim your prize at SDFSDD_LINK_SDFDSD
- You work has been completed. Your invoice can be accessed at SDFSDD_LINK_SDFDSD
- Your student loan rate has been reduced. See your new rate at SDFSDD_LINK_SDFDSD
- You traffic violation can be reviewed and paid at SDFSDD_LINK_SDFDSD
Common themes you should look for are the following:
- Promises of free prizes and cash
- Offers for credit cards or loans. (Especially low-interest ones.) These are illegal to send even if they’re from a reputable financial company.
- Government-related rebates
- Fake invoices
- Random links to complete a payment
- Alerts regarding suspicious account activity that ask you to confirm or share personal information
- Package delivery alerts that ask you to set preferences
The following is an example of one of these types of attacks. The goal for this example is for the victim to not only wonder what package is being held, but out of concern of losing it, quickly quick the link to update their address to obtain
There are many sources that warn about smishing such as mass.gov found HERE. My advice is to stop, think about if the message could be fake and if so, don’t click it. Anything pressing will not require you to click a text message. If it’s from a bank, government agency or other trusted resource, go to the website of that resource directly and log in rather than clicking the SMS link. You will either validate the message was real by directly accessing the associated resource or uncover a smishing attack. Consider any random prizes or other SMSs you receive as a scam by default.