What is Smishing?

Smishing is a specific type of phishing that supposes the use of SMS services. Same as classical phishing, it aims at stealing the confidential data of the victim.

Smishing | Gridinsoft

What is Smishing?

SMS in 2022 look like a completely obsolete method of communication. However, this rarity is handy for rackals. They manipulate the fact that people are prone to believe and react the things they receive in SMS.

Today's statistics show that users read 98% of text messages and respond to 45% of messages. Similarly, messages sent via email are read by only 20% of users, and only 6% respond. Thanks to this misguided trust in text messaging, smishing has grown in popularity by more than 300% over the past couple of years. Now, we will look at what kinds of smishing attacks there are, how they work, and some tips to avoid smishing attacks.

How does smishing work?

Typically, cybercriminals use malicious links and malware to carry out their attacks. Let's take a look at how hackers conduct fraudulent schemes. This will help avoid them in the future:

  • 1️⃣ The attacker sends a text message using social engineering to make the victim believe that his message is legitimate.
  • 2️⃣ The victim transmits personal information (logins and passwords, for example, ) or clicks on a link that leads to a phishing or infected site and enters its personal information there. Sometimes, the text message may be a request to call back to a specified number to clarify the details. There may be a charge for such callbacks.
  • 3️⃣ The hacker uses the information he obtains for fraudulent purposes or to sell the data on the Darknet.
Example of Smishing
Example of Smishing

These days, people have become much harder to trick. They rarely believe in large prizes for nothing and are doubtful about disclosing their payment data. Therefore, crooks are forced to opt for more sophisticated (, i.e., more realistic) fraud schemes.

Types of smishing attacks:

Financial services smishing scams

Each of us uses the services of one bank or another, and everyone remembers the confirmation codes that the bank sent us by SMS. With the advent of official applications for banks, these confirmation codes have migrated to these same applications, and the need to send SMS significantly decreased. Unfortunately, some scammers pretend to be legitimate banking institutions to force the victim to compromise confidential data, such as phone numbers, passwords, and insurance numbers.

Confirmation smishing scams

Like the previous variant, in a confirmation scam, the hacker sends the victim a message asking him to confirm something. Be it an upcoming meeting or confirmation of an order (even if the victim didn't make the order). Sometimes such messages contain a link leading to a phishing site that asks for confidential data to confirm the purchase.

Customer support smishing scam

The scammer sends messages posing as a well-known company to gain the victim's trust, then reports a problem with the account. The scammer then solves the problem (usually a link to the same phishing site where the victim enters their confidential data).

Gift smishing scams

Have you ever received an SMS with congratulations and a text like "You have won a huge sum of money" or "Your distant relative has left you a large sum of money as an inheritance"? Usually, they are nonexistent winnings, but to get them. The victim is suggested to follow a link and confirm their data to receive a prize.

COVID-19 smishing scams

Sometimes, scammers pretend to be medical or government agencies and demand money from the victim for providing certain services. Some such apps are even available on Google play, but they are often distributed through unofficial app stores. Also, not uncommon cases when scammers on behalf of medical institutions send an SMS with the text "get your covid payment" and ask to enter bank card data (with CVV code) or "watch for covid statistics for areas of your region" and a link to the site where the victim is required to enter their data such as full name, address and phone number.

Typical smishing attempt related to a COVID thematics
Typical smishing attempt related to a COVID thematics

Signs of smishing

Listed below are the main signs of smishing. Knowing them can significantly reduce the chance of being tricked by this attack.

SMS from a suspicious phone number

A standard phone number consists of a certain number of digits, and each region has its code with which the number begins. If you receive an SMS from an unknown number, which differs from the numbers in your area, treat this message with suspicion. It is likely a potential threat. Almost always, this is accompanied by links to phishing websites designed to steal your confidential information. If an SMS from an unknown sender contains a link, never click on it. Even if the site address looks real, it's a fake.

Urgent requests

Many phishing emails or SMS contain urgent requests that need to be answered as soon as possible, such as "limited offer" or "until the end of the promotion..." or "urgently click and take." Of course, any official company will warn its customers in advance or calmly notify them of anything. Delete such a message, and to be sure, you can call that company to clarify.

Money requests

Some scammers openly write and ask for money. They may introduce themselves as your relative and ask for medical treatment or write that your relative was in an accident and urgently needs money to resolve issues. Please do not fall for it. They are scammers. Just delete the message.

Prize notifications

Many people have participated in the lottery. Everyone knows very well that the chance of winning the lottery is tiny. And to win in a lottery in which you have not participated in principle is almost zero. If you receive an SMS about winning a lottery but have not participated in it, do not follow the links and do not open any attachments if they are present. You risk becoming a victim of a malicious attack and infecting your device with malware.

How to prevent Smishing and What to do if you become a victim of smishing?

To avoid unpleasant consequences, remember a few simple rules:

  • Do not reply. Sometimes, in the message, they write "send a stop to unsubscribe" This is done to ensure that the number is active and they can start/continue the attack. Ignore such emails.
  • Slow down if a message is urgent. If you receive an SMS asking you to respond as soon as possible, don't rush. Treat the message with a degree of caution and skepticism. Do not panic.
  • Never give your password to anyone. Bank employees NEVER ask users for their passwords. Also, don't send sensitive data such as passwords in plain text. Enter passwords only on official sites. Look carefully at which site you go to. Hint: Today, absolutely all official sites use the secure HTTPS protocol. If you are on a site that uses HTTP instead of HTTPS and asks for any confidential data - leave that site.
  • Use antivirus software. Usually, such messages lead to a site that may contain malicious software. However, comprehensive antivirus software can prevent malware infiltration at the download stage.

If you've already been a victim of smishing, follow these steps:

  • Contact the company whose service it happened to and report the incident. They will have the list of actions for such a situation and will instruct you on the actions you must apply to minimize the effects.
  • Block your bank card whose details you disclosed. If you don't do this very soon, your card may be charged for services you didn't buy.
  • Change your passwords and account pin codes. Set another secure password so that hackers, knowing the previous one, won't be able to get a new password.
  • Use multi-factor authentication (MFA). Using a complex password increases the level of security but does not guarantee complete security. It can be stolen or compromised, as well as the human factor. Using two-factor authentication allows you to protect your account if your password is leaked to fraudsters. To log into your account, you need to enter an additional security code, which can come in SMS confirmation or in a special application that generates these codes.

Each step is important to your defense after an attack. Also, reporting an attack helps you recover and keeps others from attacking.