Smishing (a combination of SMS and Phishing) has been an increasingly common attack vector over the last several years. The first surge began in 2020, during the COVID-9 outbreak. In fact, in 2020 alone there was a 328% increase in smishing attacks with Americans losing a total of over $86 million in such scams. The following year, things got even worse with 2021 seeing a 700% increase in smising attacks in just the first two quarters and a whopping 74% of organizations experienced a smishing attack that year. In 2023, over 19 billion SMS messages were sent in the US in December 2023 (that’s about 19 messages per person). Unfortunately, the widespread use of smishing attacks has only persisted and is once again starting to get worse.
Much of the problem has to do with a lack of awareness. Consider, for example, that the average American receives 41 spam texts per month and more than 1 billion unwanted SMS messages are sent per minute. Many of these messages are smishing attempts. Unfortunately, most people view these as nothing more than simple spam messages—like what is seen in email inboxes—and do not see these texts as dangerous. In fact, less than 35% of people even know what smishing is, and only 23% of users over 55 can correctly define it.
UDT’s security teams have recently noticed a significant surge in smishing attempts, which are fraudulent text messages aiming to steal a target’s personal information and credentials or deliver malware. These messages often masquerade as legitimate communications from government entities, past/present business contacts, or courier services.
Because these messages leverage your mobile carriers’ services, they can be very difficult to block or isolate. This makes it even more important for you to stay vigilant and know what to look for and how to protect yourself and your organization. That’s why our experts are providing you with some actionable insights that can keep you from falling victim to a smishing attack.
What is Smishing?
As the name “smishing” suggests, this is a type of phishing attack that uses text messages (SMS) to trick users into clicking on malicious links or providing sensitive information. Smishing attacks can be very convincing and dangerous, as they often impersonate legitimate businesses, delivery services, or even company CEOs.
Other times, they may try to “befriend” you by pretending to have texted a wrong number. For example, you receive a text from a number you do not recognize that says something like, “Are we still on for lunch this Sunday?” Unsure of who is sending the message, you may reply “Who is this?” The person will text back something like “This is so-and-so. We met last weekend. Is this X?” They will then do their best to keep you texting with them, and will at some point begin asking questions such as “What is your name?” and “Where do you live?”
These may seem like harmless questions, but what they are doing is phishing for information on you that can be connected to your cell number. If you receive an unrecognized text, we recommend you block the number immediately then delete the text conversation from your phone (if your phone doesn’t automatically do this for you when a number is blocked). These sorts of text messages will also sometimes cause your phone to recommend saving the person as a contact so that later it appears as a recognized number. Obviously, you should not allow your phone to save the number to your contacts.
What to Watch Out For
There are a number of warning signs and reds flags to look out for when it comes to identifying smishing attacks:
- The message contains urgent requests for immediate action – If you receive a message saying you need to claim a gift before it expires, warnings of suspicious activity on one of your accounts, or confirming a missed delivery from a carrier, then it may be a smishing attempt, even if they claim to be from reputable sources like Chase, Bank of America, USPS, UPS, or FedEx. You should know that organizations such as these do not send unsolicited text messages. Verify authenticity by reaching out directly to the company via their official website or known contact numbers instead of responding to these messages.
- Multiple recipients for messages regarding gifts or suspicious activities – If you see that the text message has been sent to multiple numbers in addition to your own, this is a big red flag. Delete the message.
- Unsolicited requests for personal information – Unlike regular communications, this is often the first sign of a scam. No legitimate entity should ever be asking for your personal or sensitive information via SMS/text messaging. Always take a moment to evaluate what has been asked of you before responding.
How to Protect Yourself
Here are some ways you can protect yourself and your organization from smishing attacks:
- Block or filter unsolicited text messages via your device’s settings (Apple: Settings > Messages; Android: Settings > Blocked Numbers).
- Report any suspicious messages that appear to be from someone in your organization to your company’s spam notification email.
- Forward any suspicious text messages to the Global System for Mobile Communications Association (GSMA) using 7726 (SPAM). This will also block similar messages from reaching you.
- Utilize the “Report Junk” options on iPhones or “Block & report spam” on Android devices for unsolicited or suspicious messages.
- Download any anti-spamming apps provided by your mobile carrier. They are usually offered free of charge and are typically effective in blocking text messages which appear to be malicious.
- If the message does not contain a link but instead is prompting you to reply, DO NOT REPLY. Never reply to a suspicious message; just delete it. By replying, you’ll just help bad actors confirm they’ve reached a legitimate phone number they can launch attacks against.
What To Do If You’ve Fallen Victim
If it’s already too late, and you find that you’ve been hit by a smishing attack, we recommend taking the following actions:
- Don’t panic. Stay calm and immediately notify your organization’s IT team, especially if this happened while using company-issued devices.
- If you have not already done so, block the number used in the attack immediately.
- Ignore any follow-up texts from the number used in the attack (you should already have it blocked), or related messages that may come from a different/unblocked number, even if they seem friendly or offer to fix the situation.
- Consider informing your financial institution(s) and promptly change your passwords on all accounts.
Stay Smart & Stay Safe
To protect yourself from smishing, you should always be wary of unsolicited or suspicious text messages, never click on unknown links or attachments, and verify the sender’s identity before providing any personal or financial information.
You can also report smishing messages to your mobile carrier or the FTC (Federal Trade Commission). It’s important we stay vigilant and take these precautionary measures to safeguard personal information against these malicious ‘Smishing’ attempts. Stay safe and smart!
To learn how UDT can help safeguard your organization from cyber risks and data security threats, explore our suite of Cybersecurity Services or contact our team to schedule a consult with one of our experts. Together, we accomplish more.
Take The Quiz—What’s Your Security Risk Level?
New to cybersecurity or trying to improve your security posture? Take our brief quiz to understand how your organization might score when it comes to risk—and what to do about it.