What Are “smishing Attacks”? (and How to Avoid Them)
We all know about the threat of phishing attacks, but hackers use a similar SMS-based tactic called “smishing” to infect smartphones with malware and steal data, and according to recent reports, they are using it more frequently. Cybersecurity firm Kaspersky says hackers are infecting users in Europe and Asia with the dangerous Roaming Mantis Android malware using smish attacks, and infections are on the rise worldwide.
You can read more about the campaign to take down the Roaming Mantis in a recent Threatpost report . However, whether it’s Roaming Mantis or some other scam, the bottom line is that smishing is a real threat that you need to take precautions against, as if you were trying to avoid phishing attempts.
What is smishing?
Smishing attacks use tactics similar to phishing schemes, but use SMS text messages instead of emails – hence “smishing” (SMS + phishing).
Most smashing attacks work like this: hackers send text that looks legitimate to the target. The text will contain a link that opens a fake but convincing page, which then instructs the user to download the installed malware application. In the case of Roaming Mantis, malware hides behind harmless code that anti-virus blocks cannot detect.
Malware is not the only thing that hackers hide in funny texts. Depending on which company the hackers claim to be, the texts may also contain links to fake login pages that steal private account information; spam them with malicious ads; or simply ask them to respond with other important information such as bank card details, social security numbers, or driver’s license numbers.
Either way, the end result is that hackers now have remote access to your device, your accounts, and/or your personal information. From there, they can steal your payment information, incriminating photos, and any other information you have stored.
How to Avoid Smishing
Smishing is a serious threat, but the strategies used to detect and prevent the threat are similar to those used to prevent phishing attempts and other online scams .
The first step is to enable SMS spam filters , but don’t expect them to do all the work for you. Service providers like T-Mobile, AT&T, and Verizon are getting better at stopping spam texts and smishing campaigns, but their back-end filters are reactive , not proactive, meaning they will always be one step behind spammers. Similarly, you should enable spam filters for your Android device in any text apps you use .
Filters won’t stop every malicious text, but they are useful nonetheless. The rest of the prevention falls on the users themselves: The most important thing is not to open suspicious links from random numbers.
Of course, this is easier said than done.
Many companies send important links in text messages, often from random numbers. Sometimes legitimate texts come from different numbers every time, even if they are from the same sender. This is often the case, for example, with two-factor SMS-based logins or password reset requests. This can make it difficult to determine when text and any links within it are safe to open.
However, if you’re not expecting a message from, say, Google, your bank, or even your local public transit service, don’t open any messages purporting to be from said companies or organizations. There are also some clear signs that the text is fake, such as the use of certain words and phrases that are characteristic of phishing attempts , and incorrect spelling and grammar.
Another sign is unorthodox requests. As a general rule, banks, ISPs, and other large companies will not send you random links, ask you to install additional apps, or ask for personal information in a text message. If you are ever in doubt, call the company directly to verify the authenticity of the text message.