If phishing was an animal, it would probably be a cameleon. Phishing via email or text message (SMS), by phone, sent in large volumes or through targeted, spear-phishing attacks…

Phishing can definitely take on multiple shapes !

And in our case, phishing through text message or SMS is called SMishing. And it’s on the rise.

The good news in all this? It’s possible to decrease the risk of falling for a phishing attack by understanding what the hackers are doing, and how. This is the goal of this article.

What is SMishing (SMS + phishing)?

Phishing and SMishing: different channels, same goals

SMishing is a kind of phishing attack. In a SMishing attack, hackers use the text message channel to lead their target into taking action: clicking on fraudulous links and providing confidential information (credentials, banking information, one-time passwords…), downloading malware, giving permission to third party apps…

By conducting these attacks via SMS, hackers have the same goals as in a phishing attack: either to obtain information in order to exploit it (by reselling it or using it in an attack) or to use the action (like downloading a malware) a a step in their attack.

SMishing examples

There are numerous phishing examples. Below, you can find some of them.

Classic example of bank impersonation
Another example referencing payment issues with a mainstream service (Netflix)
Delivery issues SMishing

Some standout facts about SMishing

Phishing attacks via text message are increasingly used by hackers (some studies have shown that as many as 7 out of 10 people could have received smishing attacks in 2021). For them, SMishing represent an effective attack vector.

High read rate

According to a French research center, text messages are read 95% of the time, much higher than for emails.

The speed with which we consult are text messages is also interesting for hackers: 92% of marketing text messages are read within 4 minutes after they’ve been received.

An ability to trick people three times higher via phone than on a computer

This is another advantage for hackers: curiosity seems to be higher (or at the very least reaction to messages) on a phone than on a computer. We’re three times more likely to click on the link contained in a message on our phone than on a computer.

How do hackers conduct SMishing attacks?

SMishing relies on social engineering

This is now common knowledge: hackers (like all fraudsters in fact), rely on psychological triggers (social engineering) in order to incite their targets into clicking a link and taking action afterwards.

What are the triggers used in SMishing attacks? Here are a few of the main ones used:

  • Trust and authority: Text messages can be fraudulently signed by trusted companies or institutions such as US Postal, Microsoft, Netflix, the IRS, Fedex…
  • Fear and threat: Fear to have an account suspended, to lose money, to no longer be able to access a service…
  • Urgency: “Confirm your personal information within the next 24h”, for example (often used with a threat)
  • Personal gain: By mentioning either potential money to be won, or sums to be lost if no action is taken

Confronted with these different psychological triggers, the human mind needs to be particularly vigilant to avoid falling into the temptation to click on a link.

Link obfuscation, a central element of SMishing attacks

Phishing text messages often contain a link through which hackers can trick their targets and conduct their attacks. This link is often hidden through the use of URL shorteners (Bitly, TinyURL) in order to make it harder to analyze by the reader.

From a technical perspective, this is called “link obfuscation” because the final address is hidden behind meaningless characters.

And if the link is going to be completely visible, hackers will be sure to use a look-alike name or website, by changing a few characters or masking the domain to pass for a legitimate business.

SMishing, and what next?

For hackers, SMishing is most often only the first step. It can be used as a means to gain initial access and deploy malware. In these cases, the victim receives a text message with a link. Click the link will install malware on the phone, which can then be used to harvest credentials or banking information, passwords, contacts, messages… etc. FluBot is an example of such malware.

Another use case is the reliance on SMishing in support of Business Email Compromise attacks. In these cases, a message which seems to come from an executive (CEO SMishing)or from a specific person from a company to ask for a money transfer or the communication of confidential information.

Initially deployed via email, these Business Email Compromise attacks can now be sent via text message. This was, for example, the case in a 2022 cyberattack on Uber. After stealing the credentials of an employee of the company, a hacker impersonated Uber’s IT service and contacted the target via Whatsapp in order to get them to validated multi-factor authentication requests, enabling the hackers to gain access to their account.

Finally, SMishing can be an integral step to the bypassing of multi-factor authentication: hackers will initiate a connection (just like in the Uber hack) with credentials but will send a social engineering text message to obtain the one-time password received by the target, and thereby access their account.

How can you protect against SMishing attacks? Some best practices

Set up technical protections against SMishing

From a technical standpoint, companies can deploy security solutions for mobile endpoints. Their goal: to protect their employee’s professional phones, through certain functionalities.

These include using a mobile endpoint management solution, forcing updates to user’s phones (OS and app updates), limiting installation of applications and keeping an eye out for suspicious behavior, with the ability to revoke mobile accesses.

Tackle the human aspect of SMishing

This being said, even the best technical solutions will never be 100% foolproof, especially when human vulnerability is exploited. Some (if not most, when well crafted) attacks will always get through to their targets.

Phishing text messages are harmless as long as the user doesn’t click on the links or doesn’t answer them. The best way to reinforce a company’s protection against SMishing attacks is to take on steps that tackle their human aspect.

Communicate about SMishing best practices

Protection against SMishing attacks is within reach of most users, regardless of their digital maturity, and can be summarized in a few words: reflexes, vigilance, common sense. For example:

  • Don’t follow links from text messages that are from an unknown sender
  • Do not answer those messages either
  • Beware when text messages contain special offers or urgency triggers. Teach your users the psychological triggers that hackers use.
  • Try and check the destination URL
  • Visit the website via normal navigation instead of following a link in a text message. Large companies are usually the target of frauds that impersonate their identities and communicate regularly on SMishing attacks.

Teach, show, train

It’s much more difficult to fight against something that you don’t know or understand. The best way to raise awareness among your teams about the threat of SMishing is to teach them about this attack vector: analyze real SMishing examples, highlight which psychological tricks hackers use (and are therefore tell-tale signs of a potential attack), what the consequences for them, their colleagues and their company could be…

It might be a good idea to include some SMishing scenarios in your phishing simulation campaigns. There’s nothing like some real-life condition exposition to attacks to see how your employees would react (and how they can improve).