You know all about phishing. From time to time, emails purporting to be from Facebook or your bank drift into your inbox and insist you “verify your account.” Look closer and you spot the telltale signs of a scam: a sketchy-looking sender address, sloppy writing, and a complete lack of personalization. You sigh and hit delete.
It’s easy to be cynical about opportunistic, mass-mailed phishing attempts. Although some look genuine to even the most cautious eye, others feel decidedly amateurish and are readily identifiable. Billions of emails are sent each month, with over 245,000 phishing-related websites created in January alone according to the Anti-Phishing Working Group (APWG). But when it comes to SMS-based phishing, or ‘smishing,’ things are a little different.
Smishing is when a malicious actor harvests credentials and credit card details by pretending to be someone else over text. This novel spin on phishing has grown exponentially in recent years, with the volume of messages sent to North American phones increasing by 328% in Q3 2020 alone. Similar trends can be found in other territories. In the UK, one survey found 61% of respondents received at least one smishing text during 2020.
For the perpetrators, smishing can prove incredibly lucrative. For the victims, it can be financially devastating. This article will explain how the scam works, why it’s effective, and how individuals and organizations can fight back.
How a Smishing Scam Works
If you’re reasonably tech-savvy — or have listened to the dire warnings issued by tech companies, financial institutions, and governments — chances are high you understand the risk posed by traditional email-based phishing.
You know that email accounts can be created and hijacked. Spammers can even spoof the origins of an email. And, after countless high-profile data breaches, you may have grudgingly reconciled with the reality that your personal information is irrevocably available online.
Smishing scams, on the other hand, feel comparatively opaque. How do attackers successfully impersonate well-known brands? How do they operate at such a large scale, sending tens of thousands of messages at a time?
Let’s start by looking at the methodology. Attackers have plenty of options when it comes to the bulk distribution of text messages. They may choose to buy a device created explicitly for that purpose, with examples available online for just a few hundred dollars. Alternatively, they can use a standard mobile phone or USB cellular modem, combined with an automation program that costs just $69.
This isn't the most inconspicuous method. In June, UK law enforcement were called to a hotel in Manchester after staff became suspicious of a guest carrying a bag filled with unusual-looking wires and electrical devices. Upon inspecting his room, police found a laptop containing 44,000 mobile numbers, as well as an SMS hardware gateway. They later determined the device was used to send 26,000 messages in the previous day alone.
Alternatively, as pointed out by veteran cybersecurity journalist Brian Krebs, attackers may choose a provider to send the messages out on their behalf. Earlier this year, UK authorities arrested the 20-year-old operator behind the SMS Bandits gateway, which he marketed within criminal circles as “spam friendly.” Messages sent via SMS Bandits impersonated government agencies, financial services organizations, and telecommunications providers.
Now, let's talk about the composition of the text. SMS messaging is a relatively ‘flat’ medium. There is no room for a visual flair or branding. This works to the advantage of attackers, as they don’t have to painstakingly recreate the style of the organizations being impersonated. And many phishing approaches works
Within the body of the text, the attacker faithfully adheres to the phishing playbook. One common tactic is to create a false sense of urgency. They want the recipient to be anxious, as they’ll be more likely to hand over their credentials without scrutinizing the message too closely.
The pandemic has provided many examples of this. In May, a UK man was sentenced to 4 years and three months imprisonment after perpetrating a scam where victims were asked to provide their bank details in order to verify their eligibility for a Covid vaccine.
Another SMS phishing campaign identified in South Africa in March 2020 purported to be from local financial institutions and warned the recipient that their account would be terminated if they didn’t verify their credentials.
It’s interesting to note that this campaign began during the early months of the first lockdown, at a point when many contact centers were operating at a vastly reduced capacity. The ensuing long wait times ultimately disincentivized recipients from trying to independently verify the message with their bank, which contributed to its success.
Why is Smishing so Effective?
It's hard to find solid data on the financial cost of smishing. In most cases, it is grouped together with traditional email phishing and ‘vishing’ (voice phishing), rather than a standalone category. However, police reports and testimony from victims suggest it can be hugely profitable for the perpetrators.
One gang made at least £20m over just eight years, allowing them to live a celebrity lifestyle of five-star hotels and designer clothing brands. Another man, a 22-year-old computer science student from London, made £125,000 before his arrest. In 2019, a Georgia federal court convicted three Romanian men for their role in a smishing scheme that cost individuals and institutions an estimated $21M.
And then there are the victims. One Hong Kong flight attendant saw her $10,000 life savings drained after she clicked through a text purporting to be from her bank. A student in the UK was pushed into her overdraft after receiving a text ostensibly from Barclays Bank. Another woman in Topeka, Kansas lost $600.
So, why is it so effective? It falls down to a number of reasons.
- Smishing is a relatively novel phenomenon, especially when compared to traditional email phishing, and much of its growth has occurred in recent years. In the UK, the volume of smishing messages grew 700% in the first six months of 2021 alone. There isn't the same level of awareness, and therefore, skepticism, among the wider populace.
- Text messages have a visibility advantage over emails. While your Gmail inbox may contain thousands of unread messages, odds are good you read every single text that shows up on your phone.
- For scammers hoping to establish credibility, SMS messages are hard to get wrong. As mentioned, it is a purely plaintext medium, with no visual flair to mimic.
- This simplicity allows scammers to quickly respond to events. Delivery scams — which account for over half of all smishing attempts in the UK — are a good example, having proliferated after the UK concluded its withdrawal from the EU. In the US, smishing epidemics have coincided with the distribution of stimulus checks, tax season, and the widespread difficulties in obtaining unemployment insurance during the early months of the pandemic.
- Finally, many of the tactics that make traditional email phishing successful also work over text, such as the creation of a false sense of urgency.
It’s easy to dismiss smishing as a purely consumer problem. That would be a mistake. First, there is an overlap between the tools and services used by the general public, and those used by the public and private sectors. Gmail is a good example. You might also use the same bank or the same social media platforms.
Additionally, there are many examples of text messages being used to distribute malware, or as the basis for a spear-phishing campaign. This raises the prospect of smishing becoming a major headache for public and private-sector organizations.
That all said, SMS remains a prime mode of communication due to its ease of use and sheer ubiquity. Although services like WhatsApp and Facebook Messenger offer more functionality, you can’t beat the humble text message for sheer universality.
An estimated 96% of US adults own a device capable of receiving text messages, while 95% of SMS messages are read and responded to within three minutes of receipt.
It's therefore crucial that organizations proactively develop a strategy for combating smishing, with awareness at the heart of any such strategy. Employees and partners must understand that text messages are not inherently safe. They should be treated with the same level of cautiousness as email.
Employees should also feel empowered to report suspected smishing scams targeting the business. The sooner an organization becomes aware of an attack in progress, the quicker it can act.
Auth0 Security Culture Manager Annybell Villarroel notes that we’re seeing an increase in smishing attempts and recommends creating a culture of security and awareness for employees and partners through regular training.
But the biggest thing for all of us is just to learn to take a “skeptical pause,” says Annybell. “Pausing to ask yourself if the message makes sense can make a big difference. It can take you out of an emotional response back to logic. That extra few seconds can save you from a smishing click.”