A familiar number sends you a text message. It seems urgent. There are some weird charges on your credit card that require verification, the message reads. Your heart races, and your mind floods with questions.
Did someone steal my identity? Can I dispute these charges? Will I have to pay? What if I can’t?
You want to resolve the issue immediately, so you follow the instructions in the message. It's coming from your credit card company … right? So, it must be legitimate.
You click the link in the message and arrive at a familiar login portal. Again, it seems legitimate. You log into the portal, following the text’s instructions.
Unfortunately, you have just provided a malicious actor with your credentials and access to your credit card account.
The text message was a ruse. The phone number was spoofed. The portal was fake. The malicious actor’s attack was successful. And the malicious actor is now the proud owner of a new pair of Moon Rock Adidas Yeezy Boost 350s.
Inside SMS Phishing
This type of attack is known as SMS phishing. It’s a social engineering tactic used by malicious actors to steal sensitive information from their targets. SMS phishing takes advantage of constant cell phone and text usage. According to EarthWeb, Americans receive an average of 41 spam text messages per month, with fewer than 35% of people realizing that they’ve become targets of an SMS phishing attack.
The tactics in the example at the beginning of this post are just one set used by malicious actors. However, their methods typically follow a pattern: an urgent text message with an alarming claim. These claims range from something simple like package delivery issues or locked online accounts, to something more problematic, like overdrawn bank accounts or unpaid bills.
SMS phishing messages often appear to come from a local or trustworthy number. This technique is called spoofing. A malicious actor deliberately transmits false information to your caller ID to disguise their actual number. The link in their message brings you to a familiar login page, but it’s a fake that mirrors the legitimate page. Once you enter your sensitive information, it’s in the hands of a malicious actor, who can then use it to access your accounts, obtain sensitive information, impersonate you, and/or take your money.
Fortunately, you can learn to spot these attempted attacks before you become a victim.
Common Warning Signs of an SMS Phishing Attack
The following signs are often indicative of an attempted SMS phishing attack:
- The originating phone number or email address is incorrectly formatted or contains unusual characters.
- The message feels urgent. This is intentional. The malicious actor is using fear to incite an immediate response.
- The message contains links that appear to be legitimate but contain spelling errors, extra characters, or strange domains.
- Clicking the link takes you to a page that asks for login credentials, or the link automatically downloads an app to your device. The message may also dangle a reward, such as a gift, for responding to or interacting with it.
- The sender requests confidential information, like a credit card number, social security number, or bank account information, which a legitimate institution would never ask via SMS.
How to Defend Yourself from an SMS Phishing Attack
Now that you are familiar with this threat, let’s look at some best practices for protecting yourself and your business from SMS phishing attacks.
Monitor All Messaging Platforms
Even though the tactic is called “SMS phishing,” this attack is not exclusive to text messages. All messaging platforms are susceptible. This includes WhatsApp, Facebook Messenger, Instagram DMs, or any other messaging application or social media platform with messaging capabilities. Vigilance across all the platforms you use — not just your phone — will decrease your chances of becoming a target.
Want to decrease the odds of receiving unwanted phishing messages? Submit a request to be added to the National Do Not Call Registry, maintained by the Federal Trade Commission (FTC). The National Do Not Call Registry gives you a choice about whether to receive telemarketing calls. Companies that illegally call numbers on the National Do Not Call Registry or place an illegal robocall can face fines up to $43,792 per call.
Sanitize Your Personal Information from the Internet
Subscribe to a service that removes your personal contact information from the internet, such as your phone number, address, age, etc. DeleteMe and OneRep are affordable solutions for automatically removing your private information from the web on a recurring monthly basis. If your information isn’t readily available, you will be targeted much less.
The best defense against an SMS phishing attack is to say nothing. If you think a message could be an SMS phishing attack, do not reply. If the message includes links, do not click on them. Report the message using the steps in the next section and delete it.
When in Doubt, Research
Never give your personal information (i.e., credit card information, login credentials, social security numbers, etc.) to unknown or unverified numbers. If you have doubts about the authenticity of a number, do a web search of both the number and the message content to verify if it’s been used in an SMS phishing attack. Even if you don’t find any information and the number appears to be coming from a well-known company, do not provide your personal information. Call the company directly and verify that the message is from them.
After identifying a scam attempt, you can take the additional step of reporting it. Doing so may save someone else from the misery of recovering from an SMS phishing attack.
How to Report an SMS Phishing Attack
There are many ways to report an SMS phishing message. Here are some recommendations:
- If you receive the message on a company/work phone or device, report the message to your company’s security or IT department.
- Report the SMS Phishing attempt to ReportFraud.ftc.gov. The Federal Trade Commission can't resolve your report, but the FTC uses the information to investigate fraud allegations.
- Report the SMS phishing attempt to your wireless service provider by forwarding unwanted texts to 7726 (or "SPAM"). Many major North American wireless carriers designed a consolidated spam reporting service. Global System for Mobile Communications (GSMA), an industry organization representing the interests of mobile network operators worldwide, backs this service. It gathers information about spam complaints from all participating carriers into a common database, which may make it easier for carriers to identify spammers and act against them.
- File a complaint with the Federal Communications Commission (FCC) Consumer Complaints Center. Filing complaints help inform the FCC’s policy decisions and investigations.
You are the best defense against an SMS Phishing attack. Just receiving a phishing message won’t cause any damage. But acting on it — by clicking links, or providing information — could result in identity theft or fraud.
Remember, if it looks like a duck, swims like a duck, and quacks like a duck, then it’s probably a duck.