Smishing

Glossary

One speaks of smishing when a phishing attack is done by sending text messages – SMS – to cell phones. The messages are designed to trick potential victims into clicking on a link and thereby sending sensitive information to the attackers, downloading malicious software or falling for a classic con job.

What does smishing mean in detail?

SMS is still a frequently used type of conversation on smartphones and is perceived as generally safe. It is precisely this assumption that criminals exploit to extract sensitive information or install malware and enrich themselves at the expense of the victims. The following attack methods are frequently observed:

Malware distribution

this is similar to the classic phishing email. Victims receive a text message with a link and are encouraged to click on it. A popular scam of the perpetrators is to pretend to be a known service provider in the SMS – for example DHL, Amazon, etc. – and to inform them about the whereabouts of a shipment. The link in the SMS leads to a website where an app is available for download. This looks very similar to the service provider’s app but it is a fake and contains a banking Trojan. It is activated when the supposed app is downloaded and can access and also use all personal data, such as phone numbers, email addresses and banking data, after installation. In addition, the access by unauthorized third parties can result in further malicious SMS being sent to the contacts on the cell phone – a chain reaction with fatal consequences.

Android devices in particular are affected by this attack scenario, as the operating system allows apps from unknown sources to be installed.

Bank smishing

Cybercriminals are particularly interested in login information for online banking. The attack pattern is rather simple: the attacker sends an SMS in the name of the victim’s supposed bank. This message might contain information that the bank account has been hacked for example and provides a phone number or link to prevent further, alleged damage. The phone number often leads directly to the criminals, while the link in the message leads to a fake website. In both cases, victims are tricked into revealing their access date such as user name and password. The next time the victims log into their accounts, they often find their bank account completely empty. Unfortunately, the telephone number used by the attackers is often hidden, so that victims cannot identify the source of the text message.

Where do I encounter smishing in my day-to-day work?

You may encounter smishing if you use a cell phone for business purposes – whether it’s your personal or company phone.

What can I do to improve my security?

  • Watch out for cryptic links, spelling or special characters in text messages. If these pile up within a message, don’t click on any of the included links and block the sender’s phone number. If you receive a text message in the name of a package delivery company or your bank, log into the provider’s official website to check messages sent to you.
  • Use only apps from reputable sources, that is, the official app stores or from the provider’s website to download apps. On Android, there is an option in the settings to turn off the “Install apps from unknown sources” menu item.
  • Inform the members of your organization so that they are appropriately warned and watch out for suspicious text messages.
  • Report the smishing incident to the consumer reporting agency. This will not only protect you, but others as well.
  • Generally. Be cautious. Ask yourself if your bank or parcel service would send you such messages. Would they even have your mobile number to do so? No bank calls your customers and asks for personal information over the phone. If you receive a call of this nature, hang up and stop the conversation immediately.

Related articles

  • Phishing

    Criminals use fraudulent email, spoofed websites, and other methods to try to obtain confidential corporate information. By pretending to be a known person (colleague, boss) or organization (bank, service provider), the fraudsters use the trust of the victim to readily disclose information.

    mehr lesen
  • Malware

    These are malicious programs that affect the daily lives of those affected in various ways: encrypted data, missing documents and corrupted systems. Their aim is to spy on their victims, incapacitate them or blackmail them.

    mehr lesen

Are you curious?

Test us for 30 days free of charge and without obligation.

We empower your employees to actively contribute to your company’s cybersecurity.

See for yourself how easily and quickly Perseus can be integrated into your corporate structure.

Test now for free

Do you have any questions about our services?

Do not hesitate to call: + 49 30 95 999 8080

  • Free trial period
  • Without obligation
  • Video training for cyber security and data protection with exam and certificate
  • Try our phishing simulation
  • IT security check, malware scanner, data security check and more
  • Ends automatically after 30 days