Smishing: Phishing per SMS

Smishing might sound harmless, but do not underestimate these unexpected text messages. Like conventional phishing, this specific variant is a cyberattack that can cause significant damage to your business if left unchecked. Learn what "smishing" actually means and how you can effectively protect your organization against these subtle attacks.

Phishing via SMS: What Is Smishing?

To understand smishing, you should first know what phishing is. For roughly 30 years, these online data thefts have been causing serious problems for companies across every industry and size. The term itself combines "password harvesting" and "fishing" -- in short, tricking people into giving up their credentials.

"Smishing" is another portmanteau, combining phishing with SMS. It describes hackers' method of using fraudulent text messages to install malware or steal confidential data. Carefully worded messages create the illusion of a trustworthy sender, but in reality, cybercriminals are behind them. Time and again, victims unknowingly hand over sensitive information that reaches not their bank or insurance provider, but the attackers.

The success of smishing stems from the widespread carelessness with which people handle their mobile devices. While computers typically have automatic security checks in place, smartphones rarely offer comparable protection. When these devices are used for work purposes, the consequences for your organization can be severe.

Phishing, Smishing, or Vishing -- Which Is Which?

These terms sound alike because they share a common principle: cyberattacks with potentially significant impact. As a business leader, you should understand the differences between these methods.

• Phishing came first. The earliest attacks became public in the mid-1990s. Phishing involves sending emails with fake links to internet users. Anyone who clicks is redirected to convincingly authentic-looking websites and prompted to enter personal data. While generic templates were once sent en masse, email spear phishing is now the dominant approach. Using freely available information from social networks, attackers craft individually tailored messages to trick specific targets into responding.

• Smishing followed phishing. Here, malicious links are delivered via text messages rather than email. The ubiquity of smartphones makes smishing particularly lucrative for hackers.

• Vishing came next. The "V" stands for voice call. In this variant, a fake link triggers a screen lock when clicked. The victim then reaches a supposed technical support line via phone, where they are falsely promised a fix in exchange for their credit card details.

How Phishing by SMS Works

Hackers owe the success of smishing to typical smartphone user behavior. Nearly all incoming text messages are read, most are answered -- and many on the go. Distracted users often fail to look closely, providing cyberattackers with an ideal attack surface. The hackers' objectives fall into three categories:

• Bank smishing targets login credentials for online accounts or credit card details, which are then used to cause financial harm to the victim.

• Fake websites are used to harvest confidential information such as passwords or social security numbers after redirecting the victim.

• Malicious links can automatically install malware on a device when opened, rendering it unusable.

Although smishing messages primarily target Android devices, the attack methods work across platforms. iPhone users are equally at risk -- both personally and professionally. As mobile phones are increasingly used for business purposes, more and more companies are affected by SMS phishing. Smishing has evolved from a consumer-level risk into a serious operational threat.

What to Do if You Receive a Fake SMS

Not sure whether a text message is fraudulent? Start by examining the content carefully. Legitimate messages typically include specific details, such as the last four digits of your bank account number. Direct links and vague references should raise red flags -- when in doubt, log in directly through the official app or website instead.

1. Steps to Take After Receiving a Suspicious SMS

After receiving a suspicious SMS, you can reduce the risk by taking the following measures:

• Never click on the link provided

• Contact the supposed sender

• Refrain from downloads of unknown origin

• Delete the phishing SMS

• Block the sender's address via your operating system

In general, exercise caution when using digital services. Only download apps from official stores, and enable a third-party billing block to further reduce attack risk.

Mobile carriers are responding with increasingly sophisticated spam filters. However, cybercriminals adapt as well: they bypass these filters by deliberately inserting typos or transposed numbers.

2. Steps to Take After Opening an Unknown Link

Have you accidentally opened an unknown link or a fake delivery SMS and are unsure what to do? The following steps can help limit the damage:

• Activate airplane mode immediately to stop incoming SMS.
• Inform your mobile carrier.
• Check your bank account for suspicious activity.
• File a criminal complaint with the relevant police authority.
• Back up all important smartphone data to an external medium, then perform a factory reset. This is the only way to completely remove malware from the device.

Current Developments in SMS Phishing

As more consumers order products online, hackers are capitalizing on this trend with targeted package-tracking phishing messages. These SMS often address the recipient by name, creating the illusion that the message comes from a legitimate logistics provider.

The zero-click exploit, first observed targeting Apple users in 2021, is considered particularly dangerous. In this case, malicious software spreads without any interaction from the victim.

Phishing via SMS: How to Protect Yourself

Smartphones are increasingly used in the workplace, making smishing a serious threat to businesses. However, with the right preventive measures, you can protect your organization from financial losses and reputational damage.

• Have experienced teams like turingpoint evaluate your workforce's security awareness. Often, a survey with targeted questions about potential fraud SMS is all it takes. Based on the results, IT specialists can deliver customized training for your company.
• Raise employee awareness of cyber threats like SMS phishing through professionally conducted smishing, vishing, or phishing simulations.
• Establish clear policies for personal smartphone use at work -- from restricting app usage to recognizing smishing threats.
• Restrict access to sensitive company data to a select group of authorized personnel.
• Maintain clear communication channels. Notify all employees immediately when a suspected smishing or phishing attack is reported.
• A comprehensive pentest, conducted regularly by experienced industry experts, reveals potential security gaps in your system. After a thorough examination of individual devices or entire networks, vulnerabilities can be remediated to ensure robust security.