You receive a text message that appears to be from your bank:
“Your bank account has been compromised. Click here to confirm your details and restore access to your account.”
Because the message doesn’t ask for any identifying information, you click on the link. The destination looks virtually identical to your bank’s website, so you enter the requested information — only to discover later that your bank account is empty. Congratulations. You’re a victim of smishing.
SMS Scams: The New Frontier in Identity Theft
By now, most people can easily identify a phishing email, and very few actually respond to requests to send account details via email or click on links in email messages. But this hasn’t stopped cybercriminals who are intent on stealing data and money from unsuspecting individuals.
Realizing that most people carry mobile devices these days, and few adhere to the same security standards on their phones as they do on their computers, cybercriminals are turning to text messages and mobile malware to carry out their crimes. One of their most common tactics is smishing, or SMS phishing.
Smishing works much like email phishing: A criminal sends a text claiming to be from a bank or credit card company or a confirmation of a (fraudulent) purchase. The message notifies the device owner that he or she must take action, usually by clicking a link or responding via text, to avoid being charged or losing access to their money. When the recipient clicks the link, he or she is prompted to enter sensitive information that gives the criminals access to the data they need, and in many cases downloads additional malware that will continue to wreak havoc.
How These Scams Happen
Often, smishing attacks begin with the installation of an innocent looking application. Mobile malware is on the rise, and even those applications that don’t appear harmful could create openings that give criminals everything they need to launch an attack, thanks to the permissions required to operate the application.
“Your bank account has been compromised. Click here to confirm your details and restore access to your account.”
Because the message doesn’t ask for any identifying information, you click on the link. The destination looks virtually identical to your bank’s website, so you enter the requested information — only to discover later that your bank account is empty. Congratulations. You’re a victim of smishing.
SMS Scams: The New Frontier in Identity Theft
By now, most people can easily identify a phishing email, and very few actually respond to requests to send account details via email or click on links in email messages. But this hasn’t stopped cybercriminals who are intent on stealing data and money from unsuspecting individuals.
Realizing that most people carry mobile devices these days, and few adhere to the same security standards on their phones as they do on their computers, cybercriminals are turning to text messages and mobile malware to carry out their crimes. One of their most common tactics is smishing, or SMS phishing.
Smishing works much like email phishing: A criminal sends a text claiming to be from a bank or credit card company or a confirmation of a (fraudulent) purchase. The message notifies the device owner that he or she must take action, usually by clicking a link or responding via text, to avoid being charged or losing access to their money. When the recipient clicks the link, he or she is prompted to enter sensitive information that gives the criminals access to the data they need, and in many cases downloads additional malware that will continue to wreak havoc.
How These Scams Happen
Often, smishing attacks begin with the installation of an innocent looking application. Mobile malware is on the rise, and even those applications that don’t appear harmful could create openings that give criminals everything they need to launch an attack, thanks to the permissions required to operate the application.
A malicious application that can access contact lists, for example, can use that information to send smishing messages to everyone on your contact list. The attack could also be launched at random, or based on information gathered from spyware installed on a computer.
Given the growth of BYOD, and the fact that many employees use their devices to access corporate networks, this is a significant concern among IT pros. A criminal looking to access your company’s network might resort to smishing to steal credentials. An employee could receive a message directing them to log in to the company network for an “update,” for instance, and when he or she does, inadvertently give access to the hackers. This underscores the importance for companies to employ a robust mobile device management program and two-factor authentication to protect networks; requiring an authentication token to gain access to the network for example, will prevent access even if an employee clicks on a malicious link.
Preventing Attacks
Preventing smishing attacks uses many of the same methods as preventing phishing attacks. More specifically:
·Many smishing attacks come from number “5000” or another three or four digit number. If you
receive a message from an unusual number, do not respond and report the text to your phone carrier.
·Never click on a link in an unfamiliar or unsolicited text. If you have a question, contact the purported
sender to confirm that he or she sent the message.
·Understand the terms of service from your financial institution, cell phone carrier or employer. A
reputable company will never request sensitive or identifying information via text message.
As long as we use technology for communication and to manage every aspect of our lives, criminals will attempt to find new ways to steal information. Being aware of the scams, and ignoring smishing messages and others like them will help keep your data safe and secure.
Given the growth of BYOD, and the fact that many employees use their devices to access corporate networks, this is a significant concern among IT pros. A criminal looking to access your company’s network might resort to smishing to steal credentials. An employee could receive a message directing them to log in to the company network for an “update,” for instance, and when he or she does, inadvertently give access to the hackers. This underscores the importance for companies to employ a robust mobile device management program and two-factor authentication to protect networks; requiring an authentication token to gain access to the network for example, will prevent access even if an employee clicks on a malicious link.
Preventing Attacks
Preventing smishing attacks uses many of the same methods as preventing phishing attacks. More specifically:
·Many smishing attacks come from number “5000” or another three or four digit number. If you
receive a message from an unusual number, do not respond and report the text to your phone carrier.
·Never click on a link in an unfamiliar or unsolicited text. If you have a question, contact the purported
sender to confirm that he or she sent the message.
·Understand the terms of service from your financial institution, cell phone carrier or employer. A
reputable company will never request sensitive or identifying information via text message.
As long as we use technology for communication and to manage every aspect of our lives, criminals will attempt to find new ways to steal information. Being aware of the scams, and ignoring smishing messages and others like them will help keep your data safe and secure.