Here’s a riddle: What happens up to 2 billion times a day in the US and causes victims immense financial losses? Smishing attacks.
An ongoing study managed by Robokiller shows that Americans received 2.3 billion scam texts per day in December of 2022. The scams are working too. According to Robokiller’s most recent mid-year study, Americans lost an estimated $9.7B to smishing attacks in the first six months of 2022 alone.
As scam calls dwindle due to Americans rapidly transitioning to digital communication methods, scammers have proven they’re more than willing to adapt to the times as well, targeting digital communication methods at an eye-watering rate.
What is a Smishing Scam?
Smishing, sometimes stylized as SMiShing, is the name given to a phishing attack that uses SMS (short message service) as the delivery method. These are more widely known as scam texts or spam texts.
Most smishing attacks pose as a trusted entity—think banks, major retailers, utility providers, charities, etc. Usually disguising the attack as an automated message, the scammer will include a made-up notification about an overdue payment, unauthorized login attempt, suspicious account activity, and everyone’s favorite: a $5000 CASH PRIZE YOU MUST CLAIM IN THE NEXT 30 MINUTES.
One way or another, most attacks will try and trick you into clicking a link or calling a number in hopes that you’ll unsuspectingly hand over banking info, account credentials, or some other valuable piece of personal information.
Why Do I Get Spam Texts?
Just like an email address, your phone number can be leaked online from any number of sources. To make matters worse, your phone number is much easier for attackers to simply guess. In contrast to an email address, which can vary in length and character composition, a US phone number is just 10 digits making it much easier for you to be caught up in a random attack.
So, did you enter your number into a sketchy site that sold or leaked the info? It’s possible, but there are far too many ways for scammers to obtain your phone number to be certain. Rest assured, (or not so assured) almost everyone with a phone number has been the recipient of these messages at one point or another.
As these attacks get more and more convincing, it pays to know how to recognize them. Below are some examples that will help you identify a smishing attempt, as well as how to handle them.
Smishing Examples and How to Identify Them
Example 1: Smishing Message from a Google Number
This seemingly innocuous wrong-number text has the potential to develop into any number of attack vectors. Never engage with unknown numbers that offer no context, especially if you notice poor spelling, formatting, or grammar in use.
Looking up the phone number shows us we were right to be cautious. This threat actor was using a Google Voice number to perform attacks.
Example 2: Generic Credit Card Charge
This text came from another VoIP or voice over IP number that is easily created for this purpose.
The lack of specificity in this example combined with the claim of an account being shut down is designed to trigger an emotional response. The attacker is hoping the target lets their guard down and follows the link without considering possible ramifications.
Further investigation of the phone number once again confirms that a VoIP service is in use here as well.
Morris James
I am a Infrastructure & DevSecOps Engineer with over a decade of experience in cloud computing, cybersecurity, and automation. As the founder of Infotech Ninja, I share my expert insights on IT strategy, system administration, and security best practices. Holding certifications like CCNP Enterprise, MCSE, and VCP-DCV, I specialize in optimizing IT infrastructures and leveraging automation to drive efficiency.