Most of us have had to deal with rampant phishing emails at some point or the other, but the latest social engineering trick targets the device that we carry with us at all times – the mobile phone. SMS is an evolutionary form of phishing that uses text messages and SMS services to target people and extract private information.
Such messages are textbook representations of social engineering exploits that make use of a ‘bait’ and a ‘hook’. The bait is represented by any content that instantly attracts attention and instills a sense of urgency. For instance, winning a lottery worth millions of dollars is a commonly seen bait. The hook is either a phone number or a URL that the victim needs to call/text or visit respectively.
A victim who falls for the bait is then asked to submit personal details of varying nature. This includes credit/debit card details, bank account details, contact information and more. Subsequently, this information is misused in clever ways to derive monetary benefit for the attacker.
What makes SMiShing effective?
- The single biggest contributory factor to the rise of SMiShing is the fact that people carry their mobile phones with them at all times. This gives attackers plenty of opportunities to send tempting messages as the receivers view the messages almost immediately.
- A majority of mobile users are still unaware about such persistent and pervasive threats. Unfortunately, user ignorance is one of the biggest causes of the success of social engineering techniques.
- Smartphone owners underestimate security threats pertinent to their devices and this increases their vulnerability. An effective security suite on a smartphone can prevent several threats.
- If a victim responds to a smishing message, his phone number is validated. This leads to further targeted attacks for that number and also helps the attacker narrow down his list.
What mobile users must do
Users should be aware of the various kinds of baits that they can be exposed to. For example; a frequently used bait is one which describes that a user has been registered for a service and needs to contact a specific number or visit a certain URL to cancel the registration. Other baits mention that some amount of money has been charged and this elicits a response.
Here are some tips and points that all mobile users should pay attention to:
- DO NOT fall for scams, gifts and offers that appear out of the blue
- DO NOT click on the links (for smartphones) that appear in such messages
- DO NOT call back on numbers that claim to offer gifts and benefits
- DO NOT panic if the SMS makes some dubious or nefarious claims
- DO NOT fall for a fake sense of urgency created by them
- DO check with the official website of a company for any offer that is mentioned
- DO contact local authorities if the same number or SMS persists
- DO be cautious if an SMS asks for personal and financial information
- DO look out for spelling mistakes, grammatical errors or inconsistency of language
- DO have an anti-spam solution in place and update your OS regularly