Smishing, aka SMS Phishing: How to Protect Yourself

By Michael X. Heiligenstein
September 25, 2020
Phishing

Smishing, short for “SMS Phishing”, refers to all phishing efforts done over SMS text messages. In a typical smishing attack, the scammer sends a generic text message posing as a legitimate organization, such as UPS. In the most common version, the message sends them to a fake website, where they put in passwords the scammer can then reuse.

In this article, I’ll walk you through a couple smishing examples, explain how these particular phishing attacks work, and offer some all-purpose pointers on how you can protect yourself from getting smished. Read on.

Smishing Example #1: The UPS Impersonator

I mentioned UPS above because impersonating delivery companies is one of the most common smishing techniques. Pretty much everybody gets packages now and then, making this message generic enough that a scammer can send it to thousands of people and expect to get some bites.

UPS Delivery Alert
Your package could not be delivered because no one was on hand to pick it up.
Please click here to reschedule delivery: https://bit.ly/2RaOGlP

Pretty straightforward, right? Looks pretty similar to the kind of text you might receive from UPS or any other delivery company.

The biggest giveaway is the link. You should be very careful about clicking any links in text messages. As a general rule, you’re better off not clicking any text message links. The fact that it’s a shortened bit.ly link and not an official ups.com link should raise an eyebrow.

On top of that, UPS makes clear that they never ask for passwords or personal information via text message. Many big organizations have similar policies – if you’re in doubt, you can usually run a quick Google search (‘ups fraud, ‘amazon fraud’, etc) and find out what a company’s official policies are. Many companies, such as UPS, even provide examples of the fraudulent messages that have been sent in their name.

Again: you should assume no text message links are safe, especially if they don’t come from a phone number you personally know and trust. Instead of clicking the link, navigate to the company’s website directly. That way, you can be absolutely certain you’re in the right place – and not some cloned, duplicate version designed to hijack your login info.

Smishing Example #2: CEO Fraud

For our next example, let’s look at a text that falls in a bucket commonly called “CEO fraud”. Assume that the “John Hughes” in this scenario is the fictional CEO of our hypothetical target’s company:

Hey this is John Hughes, could you pls take care of this invoice for me? https://bit.ly/2RaOGlP On vacation rn so no need to reply, thanks.

This appoach is a little more nuanced – but not by much. Unlike the first smishing example, this one isn’t so generic you could send it to just anyone. Instead, this is relying on reaching a specific audience of employees at a given company. And ideally employees that are a couple steps removed from the CEO.

That’s not the only difference from our more common first example. For one, they’re looking to get paid directly through an open invoice, rather than lift information they could then use to make money. They’re also pretending to be a specific person, not an anonymous corporate robo-text.

Hopefully your company has clear guidelines in place on what to do when you receive a suspicious text message. If they don’t, you should handle these messages with special care – you don’t want to pass on the invoice link only for someone else to unwittingly pay it. Believe it or not, it happens.

Your company’s security team or point person would be the best person to talk to, if you have one. If you don’t, you might be able to ask IT about the message. Or you could try HR to see if the phone number is accurate – they’ll typically have records of contact information within the company.

Whatever you do, don’t click the link itself unless you’re certain it came from a phone number you actually know.

How to Protect Yourself from Smishing Attacks

Now that you’ve seen a couple examples, let’s walk through some broader tips on how to protect yourself. Some of these might sound familiar from the examples above, but they bear repeating.

Watch out for links

The most common throughline you’ll find in smishing attacks – and phishing attacks in general – is the dangers of clicking on links. While there might be other avenues a smishing attack could take, the grand majority will direct you to a link, where they then expect you to give them your passwords or personal information.

Do not click on links in text messages. If it’s someone you’re absolutely certain you know and trust, then maybe – but keep in mind, even a trusted number can be hacked. If it’s an organization like UPS, Amazon, or the IRS, go to the website on your own instead of clicking on the link.

Take care with passwords and personal information

If a website asks for a password or personal information, it never hurts to doublecheck the URL. Especially if you arrived there from an SMS message, email, or another website, you should look closely and carefully. It’s pretty common for scam artists to create clone websites that look just like the real thing, with URLs that are just one character off. So look closely.

Any kind of personal information can be used for identity theft. One common smishing attack asks people to take a survey. You shouldn’t click the link to begin with, but if you do end up on a survey page asking for personal details, like your address or social security number, stop and close the tab. It’s just not worth the risk.

Use a password manager

If a smishing attacker manages to get your Spotify password, they probably can’t do too much harm – unless you use that password for every other account you own. That’s why it’s a bad idea to use the same password across multiple websites.

You should use a unique password for every account you use across different websites. Many cybersecurity experts would even encourage you to change each of your passwords every few months. That’s not a bad idea for cybersecurity purposes, but it can be a lot to manage. As someone who has a hard time remembering where I put my car keys, figuring out dozens of secure passwords multiple times a year is probably beyond my capabilities.

That’s why password managers are so great. With one secure application, you control your logins to any site you go to, with unique passwords across the board. Secure is the key word in the above sentence. You’ll want to make sure your password manager is one you absolutely trust.

The Bottom Line

The best thing you can do to protect yourself from smishing attacks is to stay vigilant. Watch out for phishy links, especially if they’re not from a person you know and trust. Hopefully the above examples and tips will help you to steer clear of smishing attacks.

Stay vigilant.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.