The number of phishing attempts sent by SMS grew by 328% in 2020. Here’s how Smishing works and how you can protect yourself.
You know all about phishing. From time to time, emails purporting to be from Facebook or your bank drift into your inbox and insist you “verify your account.” Look closer and you spot the telltale signs of a scam: a sketchy-looking sender address, sloppy writing, and a complete lack of personalization. You sigh and hit delete.
It’s easy to be cynical about opportunistic, mass-mailed phishing attempts. Although some look genuine to even the most cautious eye, others feel decidedly amateurish and are readily identifiable. Billions of emails are sent each month, with over 245,000 phishing-related websites created in January alone according to the Anti-Phishing Working Group (APWG). But when it comes to SMS-based phishing, or ‘smishing,’ things are a little different.
Smishing is when a malicious actor harvests credentials and credit card details by pretending to be someone else over text. This novel spin on phishing has grown exponentially in recent years, with the volume of messages sent to North American phones increasing by 328% in Q3 2020 alone. Similar trends can be found in other territories. In the UK, one survey found 61% of respondents received at least one smishing text during 2020.
For the perpetrators, smishing can prove incredibly lucrative. For the victims, it can be financially devastating. This article will explain how the scam works, why it’s effective, and how individuals and organizations can fight back.
If you’re reasonably tech-savvy — or have listened to the dire warnings issued by tech companies, financial institutions, and governments — chances are high you understand the risk posed by traditional email-based phishing.
You know that email accounts can be created and hijacked. Spammers can even spoof the origins of an email. And, after countless high-profile data breaches, you may have grudgingly reconciled with the reality that your personal information is irrevocably available online.
Smishing scams, on the other hand, feel comparatively opaque. How do attackers successfully impersonate well-known brands? How do they operate at such a large scale, sending tens of thousands of messages at a time?
Let’s start by looking at the methodology. Attackers have plenty of options when it comes to the bulk distribution of text messages. They may choose to buy a device created explicitly for that purpose, with examples available online for just a few hundred dollars. Alternatively, they can use a standard mobile phone or USB cellular modem, combined with an automation program that costs just $69.
This isn't the most inconspicuous method. In June, UK law enforcement were called to a hotel in Manchester after staff became suspicious of a guest carrying a bag filled with unusual-looking wires and electrical devices. Upon inspecting his room, police found a laptop containing 44,000 mobile numbers, as well as an SMS hardware gateway. They later determined the device was used to send 26,000 messages in the previous day alone.
Alternatively, as pointed out by veteran cybersecurity journalist Brian Krebs, attackers may choose a provider to send the messages out on their behalf. Earlier this year, UK authorities arrested the 20-year-old operator behind the SMS Bandits gateway, which he marketed within criminal circles as “spam friendly.” Messages sent via SMS Bandits impersonated government agencies, financial services organizations, and telecommunications providers.
Now, let's talk about the composition of the text. SMS messaging is a relatively ‘flat’ medium. There is no room for a visual flair or branding. This works to the advantage of attackers, as they don’t have to painstakingly recreate the style of the organizations being impersonated. And many phishing approaches works
Within the body of the text, the attacker faithfully adheres to the phishing playbook. One common tactic is to create a false sense of urgency. They want the recipient to be anxious, as they’ll be more likely to hand over their credentials without scrutinizing the message too closely.
The pandemic has provided many examples of this. In May, a UK man was sentenced to 4 years and three months imprisonment after perpetrating a scam where victims were asked to provide their bank details in order to verify their eligibility for a Covid vaccine.
Another SMS phishing campaign identified in South Africa in March 2020 purported to be from local financial institutions and warned the recipient that their account would be terminated if they didn’t verify their credentials.
It’s interesting to note that this campaign began during the early months of the first lockdown, at a point when many contact centers were operating at a vastly reduced capacity. The ensuing long wait times ultimately disincentivized recipients from trying to independently verify the message with their bank, which contributed to its success.
It's hard to find solid data on the financial cost of smishing. In most cases, it is grouped together with traditional email phishing and ‘vishing’ (voice phishing), rather than a standalone category. However, police reports and testimony from victims suggest it can be hugely profitable for the perpetrators.
One gang made at least £20m over just eight years, allowing them to live a celebrity lifestyle of five-star hotels and designer clothing brands. Another man, a 22-year-old computer science student from London, made £125,000 before his arrest. In 2019, a Georgia federal court convicted three Romanian men for their role in a smishing scheme that cost individuals and institutions an estimated $21M.
And then there are the victims. One Hong Kong flight attendant saw her $10,000 life savings drained after she clicked through a text purporting to be from her bank. A student in the UK was pushed into her overdraft after receiving a text ostensibly from Barclays Bank. Another woman in Topeka, Kansas lost $600.
So, why is it so effective? It falls down to a number of reasons.