Spoofing and Smishing: Your Need To Know
As web users become savvier about cybercrime, criminals are continually seeking new ways to defraud people of their identity, data or money. The increasing popularity of text message marketing provides a new medium for fraudsters to target, thus we are now seeing a rise in SMS spoofing and smishing.
What is SMS Spoofing?
SMS spoofing is where fraudsters send a text message impersonating another entity. This is commonly done using SMS Gateway software, where they’ll do bulk SMS campaigns and mask the identity of the sender. Fraudsters may have gone to the extent of creating their own SMS Gateway or sadly use an actual company that has poor anti-spam policies in place
At ClickSend we’ve shut down all sorts of attempts to use SMS spoofing to impersonate banks, Facebook, iTunes, Amazon, the police, TripAdvisor or telecommunications providers.
What is Smishing?
The word smishing is a portmanteau of SMS and phishing. Most people are now familiar with the concept of phishing; where online criminals attempt to gain access to your credentials or private information by sending malicious links from email or social media. Often smishing attempts will also include a spoofed sender identity.
A classic example of phishing is where fraudsters impersonate a bank in an attempt to gain access to their victim’s bank account. This can either be by directly asking you to respond with your bank details, call a number in order to ask for your details or take you to a site that looks legitimate and wait for you to enter your details (which are then captured on their end). Increasingly this strategy is being used through smishing also.
It’s important to note that not all smishing attempts use SMS spoofing — it could just come from an unknown number. Other popular smishing attempts include:
- Urgent requests from bosses/executives
- Being alerted to having won a prize
- Meeting requests
- Password resets or authentication messages
Generally these messages will include a link to a malicious website or ask for you to respond.
Why SMS Spoofing and Smishing are Dangerous
While phishing has had plenty of attention and consumers tend to have a healthy scepticism with emails, smishing is lesser known and it’s becoming increasingly easy to execute. Combined with cyber criminals using more sophisticated methods to send malicious messages, often phishing and smishing attempts can look legitimate.
Depending on the nature of the attack, a successful smishing attack could convince victims to install viruses on their devices or unknowingly give access to their accounts. Sometimes messages will ask victims to respond with personal information, or links will take victims to a site imitating a legitimate company (for example a bank) and lead them to enter their details where they are then captured. Cyber criminals can then use this information to take over victims bank accounts, steal their identity or credit card details, possibly to on-sell to other criminals.
While you’ll often hear about spoofing banks, we have noticed increased criminal interest toward stealing Facebook details, as Facebook increasingly gains more data on users. One of the newer smishing attempts that is gaining popularity are attempts to mimic 2-factor authentication messages.
How to Stay Safe
As more companies send links in their SMS messages, it’s becoming too simplistic to issue a blanket ban on clicking links in text messages. There are many reasons for these links, for example to access the advertised promotion, to reschedule or cancel appointments or even to opt-out of messages. If a message comes from a known business, you know how and why you provided them with your number and the message is transactional in nature, it’s likely the message is safe. For example, your doctor confirming your upcoming appointment, or a realtor alerting you to new property listings in your area.
Conversely, if a text message comes out of the blue and you don’t know how the sender got your number, or the message asks for any information — delete the message. Banks, service providers and telecommunication companies will never ask for your personal details through SMS — if you’re unsure, contact them directly (not through any numbers included in the message).
If you are being spammed or think a message is a smishing attempt, never click on links and never respond. Responding to opt out or ask how they acquired your number can often result in being spammed with more intensity, as senders realise the number is manned. You can block certain senders by contacting your network or even through your smartphone handset.
A few more tips…
- Be wary of messages about verification codes, especially if you did not request a password reset or sign up to a service that uses two-factor authentication.
- Install reputable antivirus software on your smartphone as an extra precaution.
- Only share your phone number when necessary.
If you want to know in detail how to stop spam messages forever then check out our previous blog: https://blog.clicksend.com/2019/01/how-to-stop-spam-text-messages-forever/
When choosing an SMS gateway, it’s important to choose a provider who cares about the mobile security of you and your customers. Reputable SMS platforms like ClickSend will have mechanisms that quickly shut down most attempts at committing fraud through text messages.