Smishing is another powerful method attackers use to steal account credentials and sensitive information.
What is smishing?
Like phishing and vishing, smishing leverages trust, urgency, and deception to manipulate victims, but via text message instead of other channels. Smishing, short for "SMS phishing," is a type of scam where attackers use text messages to impersonate trusted entities, such as banks, government agencies, or online retailers, to trick victims into sharing sensitive information like passwords, Social Security numbers, or credit card details. Attackers may also attempt to convince victims to click malicious links or download malware onto their devices.
How it works
- The victim receives a text message that appears to originate from a trusted source.
- The message contains urgent claims like account compromise or notice of payment.
- The victim is asked to click a link or call a phone number to resolve the issue. The link leads to a malicious website and the phone number connects to a scammer.
- The victim clicks the link which infects their device with malware or they call and unsuspectingly provide sensitive information to the attacker.
Example: A scammer sends a text to an employee, claiming to be from the company’s HR department. The message states that their payroll information needs to be updated immediately and includes a link to a fake login page designed to steal their credentials.
Example: An attacker sends a text claiming unusual login activity was detected on the employee's corporate account. The message includes a link to a site that looks identical to the company’s login portal. As the employee enters their credentials, the attacker captures them. The stolen credentials are then used in a credential stuffing attack to target other systems and accounts.
Protecting your organization
Be skeptical of unsolicited messages: don't respond to messages from unknown numbers or sources requesting sensitive information. Legitimate sources rarely ask for confidential information via text.
Avoid links in unexpected texts: like phishing emails, smishing texts often contain malicious links. Don't click links until you verify the sender and the message legitimacy.
Verify the sender directly: contact the source directly using known contact info. Don’t use the contact information provided in the message itself. If you find it difficult to obtain contact details that aren't contained in the message then it's probably a smishing attempt.
Multi-factor authentication: enforce the use of multi-factor authentication. Although many providers offer SMS-based MFA, you should prefer to use an authenticator app to prevent account takeover via SIM swap.
Block and report: most phones and carriers allow you to block phone numbers. This can help reduce the number of smishing attempts you receive in the future.
Keep your phone up to date: updates contain security patches that protect your phone from vulnerabilities that can be exploited through smishing attacks.
Smishing is a sophisticated form of social engineering that can lead to credential theft and employee account takeover. Avoid falling victim by arming your organization with the knowledge and tools required to recognize smishing. Employee training and awareness significantly reduces the risk of successful attacks, transforming employees from potential vulnerabilities into a robust line of defense.
Are you worried about smishing?
We can help bolster your team's security posture with simulated phishing exercises and smart training.