“Smishing”: scammers’ newest tool in the smart phone era

Last night, while I was sitting around daydreaming about all the bills I was going to pay on time, I received an unusual text message:

Three delinquent payments, I thought. I only ever have two delinquent payments on my credit report—how dare you suggest I’m the type of person who would have a third!

It just so happens I pulled my free credit reports for the year a few days ago, so I know perfectly well there’s nothing delinquent on my credit record. And while a quick Google investigation didn’t yield any results for this phone number or the verbiage used in that text, I know I’m just one of the thousands of people on the receiving end of this message today.

This is an example of what’s now being called “smishing.”

Don’t be fooled: “smishing” might be one of the funniest words ever invented, but it describes something that could have a dramatically negative impact on your life IF you aren’t on the lookout for it.

“Smishing” comes from the combination of “SMS,” or short message service, and “phishing,” a practice in which scammers pretend to be legitimate organizations seeking information to ensnare victims.

Typically, phishers have relied on casting a wide net of emails to direct victims to bogus websites. Once navigated to the site, users are usually asked to input critical login information or private details a scammer can exploit, but sometimes users are tricked into downloading malicious software that can be used to gain access to sensitive data.

But in 2020, most of us have traded our desktops and laptops for mobile devices. And instead of using email to communicate, we are favoring short message services for an increasing amount of our day-to-day business.

Ten years ago, it would have been unusual to receive a business text.

Today, I would conservatively estimate that I receive between ten and 37 thousand texts a day from my utility providers, my financial institutions, my doctors, mail delivery services, and everywhere I have ever shopped in my entire life. At this point, I wouldn’t be surprised if I received a text message from a gumball machine I put a quarter into in 1995–“WE MISS YOU! USE COUPON CODE ‘GUM95’ TO GET YOUR FREE CHERRY DUBBLE BUBBLE TODAY!” Things have really gotten out-of-hand.

Naturally, our growing trust and comfort with conducting business over text messages has created a favorable environment for phishers to move their operations to SMS.

In fact, the environment is so favorable, scammers are—excuse me for a second. I just got a text notification.

Nevermind. Just another smish. And from the same scammer, too. Check out that URL.

Anyway. Now, what was I talking about…

…Oh, right.

The environment is so favorable for text-scammers that they stand to make more money duping users through texts than they ever did through email. As many as 98% of text messages get opened compared to 20% of emails, and 45% of texts get responded to versus a measly 6% of emails.

Case in point: the reason I received a second smish attempt from the same bogus URL is because I opened the first one. Unfortunately, by reading the first text about my derogatory credit marks, I’ve just let the scammer know my phone number is live and I can be intrigued enough to open a message. Though I didn’t take the bait about my credit report, the scammer will likely keep trying me with different tactics hoping he sends me one I can’t resist.

In the phishing game, getting a potential victim to open the message in the first place is half the battle. And phone users, like myself, have proven we are much more likely to open a text than an email.

What the scammer doesn’t know is that I opened his texts to make an example out of him on blog about scams. Sorry to get your hopes up, friend, but thanks for the content!

The rise in smishing success is also largely due to a common misconception that our phones are more secure than our computers. Most of us have had decades to understand our computers are susceptible to malware, scams, and other suspicious activity. But we still don’t have a common understanding that our phones are computers, too. They are just as vulnerable to attack as any other device. We need to view unknown texts with the same amount of suspicion that we do unknown emails on our computers.

Smishing attempts can be about anything, but usually things that would cause a user alarm enough to motivate them to open the message and click a link:

You owe the IRS money.

You have bad marks on your credit report (check!).

You have bad marks on your driving record (double-check!).

You have packages waiting at the post office.

Your bank is closing your account.

You’ve won a prize!

Your Social Security number is being suspended.

Your Apple/Google account has been locked.

You’ve been exposed to COVID (this one is the Flavor of the Month)

If you’ve received something like this, step one is to scrutinize the number of the sender. Many times the number won’t look remotely like a real number. It could also simply say “restricted.” Hard pass on those messages. But, it is worth noting that a scammer can spoof any number they’d like—including those you trust.

Step two is to scrutinize the message content. A lot of these messages are somewhat…bizarre. Using my “Auto Vehicle Department” text as an example, the first thing I notice is…what the hell is the “Auto Vehicle Department?” The next thing I notice is This Sender Definitely Feels Strongly About First Letter Capitalization. That doesn’t strike me as being too professional. I’d certainly expect more from the prestigious Auto Vehicle Department.

These texts will usually include a link. So, step three is DON’T CLICK THE LINK. There is a possibility all it will do is take you to a fake website where the real damage will be done, but there’s also a possibility that just clicking the link will install something nasty on your phone. So the safest thing you can do is not click anything within the message.

LOOKING at the link in the message, however, might give you some further clues it’s illegitimate. The reason I knew my messages were fraudulent is because aside from being really absurd URLs for allegedly important organizations, they are also…the same URL.

…Then again, that could just be a coincidence.

And now that I think about it, I AM pretty concerned about my driving record…

…Maybe I should just check it out a little bit more before I—wait, phone’s beeping again.

Wow! I’ve won an iPad! I’ve always wanted one of those!

Except…there’s those capital letters again.

…And there’s that URL again. I guess that’s a triple-check for today.

I probably should have made “step one” don’t click to open the message in the first place. I have a feeling I’m going to be paying for writing this article for a few days.

…Hang on a minute.

…Yeah, I’m definitely going to be paying for this one.

The data security experts at Kaspersky have some additional tips to protect you from the rise in smishing scams. And as always, if you’re receiving texts like this, report them to the FCC.

Speaking of which, I have some some reporting of my own to do, it seems.

Good luck and stay safe on your phones out there!

Leave a Reply