Vishing is not the only type of phishing that digital fraudsters can perpetrate using a phone. They can also conduct what is known as smishing. This method leverages malicious text messages to trick users into clicking on a malicious link or handing over personal information.

Techniques Used in Smishing

Webroot identified some techniques commonly used by smishers:

• Trigger the download of a malicious app: Attackers can use malicious links to trigger the automatic download of malicious apps on victims’ mobile devices. Those apps could then deploy ransomware or enable nefarious actors to remotely control their devices.
• Link to data-stealing forms: Attackers could leverage a text message along with deceptive phishing techniques to trick users into clicking a malicious link. The campaign could then redirect them to a website designed to steal their personal information.

• Instruct the user to contact tech support: With this type of attack tactic, malicious actors send out text messages that instruct recipients to contact a number for customer support. The scammer will then masquerade as a legitimate customer service representative and attempt to trick the victim into handing over their personal data.

Examples of Smishing Attacks

News emerged in the middle of September of a Smishing Campaign that used the United States Post Office (USPS) as a lure. The operation’s attack SMS messages informed recipients that they needed to view some important information about an upcoming USPS delivery. Clicking on the link led them to various locations including a fake casino game as well as a website designed to steal visitors’ Google account credentials.

It was a short time later when Naked Security released a report of a smishing campaign targeting Apple fans. The SMS messages appeared as though they had arrived at the wrong number, and they used a fake Apple chatbot to inform the recipient that they had won the chance to be part of Apple’s 2020 Testing Program and test the new iPhone 12. This campaign ultimately instructed victims to pay a delivery charge. In actuality, the operation simply used a fake web portal to steal its victims’ payment card credentials.

How to Defend Against Smishing

Users can help defend against smishing attacks by researching unknown phone numbers thoroughly and by calling the company named in the messages if they have any doubts.