Smishing: SMS Phishing Explained

With the rise of attacks using familiar everyday tech as vectors, it is important to discuss the difference between a legitimate, bulk SMS and a well-crafted, malicious SMS designed to access your data or use your device for more nefarious actions.

In this article, we provide an overview of an increasingly common cyber-attack that relies on the common usage of SMS as a platform, SMS phishing, and how it differs from bulk SMS. We’ll walk through examples of SMS phishing, highlight what you should watch out for, and help you recognize legitimate SMS communications.

What is phishing?

Phishing is a cyber-attack that disguises common communication platforms, such as email or messaging services, as a weapon. The goal of this attack is to trick the recipient into believing that the message is urgent and something that they want or need.

Typically, these attacks can include:

• A request from their bank to log in and change a password or provide contact information.
• A message promising a gift card.
• An email claiming to be a high-level executive.
• An email from IT designed to get the recipient to download or install an application on their computer.

If this is a web-based attack, the end-user is redirected to a counterfeit website owned by the attacker where the victim is scammed into providing bank details, tricked into paying a fee or charge, or asked to enter other credentials as part of a larger attack.

If the goal is to get the user to install an application, once the link is clicked, the malicious payload is on the device. We then consider that device to be compromised, which then provides a foothold for a larger attack (e.g. on a company’s network).

What is smishing?

With the wide adoption of SMS, it wasn’t long before smishing, or SMS phishing, became just as widely deployed as its older brother, email. Smishing is a scam that uses SMS as the attack vector. The goal is to trick the victim into revealing account information, install malware on their device, or simply pay a sum to the hackers.

Here, as above, fake information and urgency are tactics used to make the texts appear to be from a reputable organization and something that the user must act upon immediately.

This is different from bulk SMS messaging, also known as mass texting, which is a legitimate way for firms, organizations, media companies, and financial institutions to reach a wide customer base with time-sensitive alerts and notifications to their subscribers.

Smishing examples

Smishing is often considered a social engineering attack because it is designed to exploit people and our hardwired vulnerabilities: trusting too easily, acting quickly, and wanting to be helpful.

In fact, while working on this piece, I was actually sent an SMS that has all the hallmarks of a well-crafted SMS phishing attack. This will help explain how easy it is to fall victim to these sneaky attacks.

The SMS I received claims to be from “BOI” or Bank of Ireland, and everything looks legitimate enough. The words are spelled correctly, and I’ve received similar notifications from other businesses. So this is something I should be concerned about, right?

Well, I don’t have an account with Bank of Ireland, so if I clicked on this link, it is very likely that the link would have compromised my device or requested credentials. The other giveaway is that the link does not mention Bank of Ireland. Instead, it references an unfamiliar domain.

How to defend against SMS phishing

With standard phishing via email, you can check the email headers and also actually hover over the links so you can see if they are safe. However, with SMS phishing, you do not have those options.

Here are some ways to defend yourself against smishing:

• Don’t click links. Or at least, click only the links you are expecting and can vet.
• Contact the bank, agency, or organization that the SMS is claiming to be from.
• Delete the SMS if you cannot verify it.
• Like all social engineering attacks, they rely on the human element, so be vigilant. It’s a lot easier to hack people than hack computers or phones.

Remember, if something is too good to be true, it usually is. Bob from accounting won’t send you an Apple gift card via an email and it’s unlikely that a financial institution will send you an SMS with an unfamiliar link to update your account details.

SMS phishing vs. legitimate SMS messages: How can I tell the difference?

Let’s conclude by quickly comparing a standard series of Twilio SMS messages and (to the right) a scam message claiming to be from the delivery company DHL.

Consider that this message was sent to your phone but you weren’t expecting anything to be delivered by DHL. Should you click and confirm? No. There are a few things in this image that should tip you off.

• This was delivered at 5 am. It’s unlikely that you would receive a message that early from a provider.
• The URL is random and contains nothing about DHL in it.
• It is an HTTP (rather than HTTPS) site which means all traffic is unencrypted. If you were to enter details on the site, the information could easily be harvested.

This is an example SMS from Twilio. A verification code was sent to the user as they were logging in and another message was sent to notify the user of a password change.

• It is providing something that you requested. In this case, a 2FA code and a notice of a password change.
• There is no attempt to get you to do something you didn’t already ask for.
• There are no random links.
• If you receive a bulk text message that is using Twilio, it will be from a service that you have signed up for (e.g. a supermarket promotion).

SMS phishing key takeaways

In a world that is more and more online than ever before, it is important to stay aware of how something as amazing as SMS can be used against you. While bulk SMS is a legitimate method of sending large quantities of texts to contacts, it’s important to be wary of texts from unfamiliar companies.

To recap, the SMS phishing key takeaways are:

• Don’t click links from texts you do not expect or brands you do not recognize.
• Contact the bank, agency, or organization that the SMS is claiming to be from.
• Delete the SMS if you cannot verify it.

Like all social engineering attacks, they rely on the human element, so be vigilant. It’s a lot easier to hack people than hack computers or phones. We hope the above will help you stay safe out there.

To set up bulk sending for your business, check out Twilio’s Programmable Messaging API and use the resources below to get started.

• Build a Mass Text System Using Bulk SMS
• SMS Bulk Messaging 101
• The Ultimate Guide to Sending Bulk SMS with Twilio and Node.js
• How to Send Bulk SMS with Twilio in 5 Different Languages