Social EngineeringJan Kahmen8 min read

Smishing: Phishing per SMS

Like phishing itself, smishing is also a cyber attack. And it can cause great damage to your business without timely countermeasures.

Table of content

Smishing actually sounds cute? Nevertheless, do not consider the unexpected SMS messages as a trifle. Like phishing itself, this specific subtype is also a cyberattack. And it can cause great damage to your business without timely countermeasures. We'll tell you what's behind the term "smishing" and how you can protect your business against the subtle hacker attacks.

Phishing via SMS: What is Smishing?

To understand smishing, you should first know what phishing is. For around 30 years now, these online data thefts have been causing sometimes serious problems for companies in every industry and of every size. The English-language term is made up of the individual words "password harvesting" and "fishing" - loosely translated: "collecting passwords".

Also a neologism, it stands for the hackers' new method of installing malware or retrieving secret data. "Smishing" is a combination of phishing and SMS: fraudulent SMS are used to trick victims into volunteering personal data. Through a clever choice of words, the short messages give the appearance of trustworthy senders. But in reality they are dangerous. Time and again, victims willingly disclose sensitive data that does not reach the supposed banking institution or insurance company, but the illegal hackers.

The success of the scam SMS is based on the generally high level of carelessness with which users handle mobile devices. While computers usually have automatic security checks installed, smartphones are rarely protected accordingly. If the devices are used for professional purposes, this can have revenge for you as a company management.

Phishing, Smishing or Vishing - Which is Which?

These terms sound similar because similar things are behind them: Hacker attacks with potentially significant scale. As a business owner, you should therefore know what lies behind each method of dangerous cybercrime.

  • It started with phishing. The first hacking attacks became public in the mid-1990s. In phishing, e-mails with fake links are sent to Internet users. Anyone who opens them is redirected to deceptively real-looking websites and asked to divulge personal data. While general templates used to be widely distributed, email spear phishing is now the primary method. Thanks to freely accessible information in social networks, computer fraudsters use individually tailored content to persuade their victims to respond.

  • Smishing followed phishing. Here, the false links are sent via text messages rather than e-mail. The everyday use of smartphones makes smishing particularly lucrative for hackers.

  • Finally came vishing. The "V" stands for voice call. Here, the fake link leads to screen lock when clicked. Via voice call, the injured party reaches a supposed technical service, which untruthfully promises to repair the damage after receiving the credit card details.

This is How Phishing by SMS Works

Hackers owe the so successful use of fraud SMS in smishing to the usage behavior of smartphone owners. Almost all incoming text messages are read, and most of them are answered - many even in a hurry. Those who are distracted often don't look properly and thus offer modern cyberattacks a perfect attack surface. The hackers' targets can be divided into three categories:

  • "Bank smishing" involves requesting login information for online accounts or credit card details, the subsequent illegal use of which causes financial damage to the victim

  • Confidential information is also retrieved after a redirect to bogus websites. Private details such as passwords or social security numbers are requested

  • Finally, there is a risk of automatically loading malware onto the device by opening a fake link, making it unusable

Although smishing SMS are primarily sent to Android devices, the attack methods work across platforms. So even if you are an iPhone user, you are at risk - both privately and in your company. Because the increasing use of cell phones for professional purposes means that more and more companies are affected by phishing SMS. Smishing has evolved from an individual consumer risk to an operational hazard.

What to Do if you have Received a Fake SMS Message

Unsure if a text message is a fraudulent SMS? First, take a close look at the content. Originals usually contain specific information such as the last four digits of your bank account details. Direct links and imprecise references should make you sit up and take notice - to be on the safe side, log in here via the app or via browser.

1. Behavioral Measures after Receiving an Unknown SMS Message

After receiving an unknown SMS, you can reduce the risk of danger by taking further behavioral measures:

  • Never click on the link provided

  • Contact the supposed sender

  • Refrain from downloads of unknown origin

  • Delete the phishing SMS

  • Block the sender's address via your operating system

You should always exercise caution when using digital techniques. Never download apps from unknown stores and reduce the risk of hacker attacks by using a third-party lock.

It's true that mobile providers are responding with increasingly precise filtering measures. But cybercriminals have an answer here, too: they circumvent spam filters by deliberately inserting spelling mistakes or number twists.

You have opened an unknown link or a DHL fake SMS and do not know what to do now? There are several options open to you to limit the damage:

  • Stop incoming SMS by activating your flight mode.

  • Inform your mobile phone provider

  • Check your bank account

  • File a criminal complaint with the relevant police authority

  • Save all important smartphone data on an external medium and then reset all factory settings. This is the only way to completely remove the malware from the opened spam SMS messages

Current Developments in Phishing via SMS

More and more consumers are ordering products over the Internet. Hackers are taking advantage of this fact by sending targeted package phishing SMS. Partly by addressing the buyer by name, they pretend that the sender of the short message is the logistics company used.

The zero-click exploit first used by Apple users in 2021 is considered particularly dangerous. In this case, the malicious software spreads without any action on the part of the victim.

Pishing via SMS: How to Protect Yourself

Smartphones are increasingly being used at work - and smishing poses a serious threat to companies. But by taking preventive measures, you can protect your company from financial losses and the loss of its reputation.

  • Have experienced teams like turningpoint assess your workforce's cybercrime competence. Often, a simple survey with specific questions about possible fraud SMS is already sufficient for this. Depending on the results of the study, IT specialists will conduct customized training for your company.

  • Raise employee awareness of cybercrimes such as phishing SMS through professionally conducted smishing, vishing or phishing simulations.

  • Set clear rules on the use of personal smartphones at work. This can start with restricted app use and end with detecting threats from smishing attacks.

  • Limit access permission to sensitive company data to a select group of people.

  • Ensure that communications flow smoothly at all times. Inform all employees as soon as a suspected hacking attack via smishing or phishing is reported.

  • Conducted regularly and by experienced industry experts, a comprehensive pentest reveals potential security gaps in your system. After a detailed check of individual technical devices or complete networks, vulnerabilities can be eliminated and maximum online security ensured.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: