Smishing is another variation of ‘Phishing’, wherein a Short Service Message (SMS) or text message, is used in an attempt to gather Personal/Financial information of users, for committing financial frauds. More often the text messages are spoofed, which makes them appear to be from authentic source. The users may also receive fraudulent malware infested links that masquerade a legitimate app or a link that might land them on a fake site for gathering information.
How Smishing Works – Modus Operandi
- User receives messages with links/ posts of offers / gifts/rewards.
- Redirects the user to suspicious sites/links
- Requests user to provide personal information /click links/download software
- Leads to data leaks, malware/virus attacks, and cyber frauds.
Few Dangers of Smishing attacks
- Leak and misuse of Personal Identifiable Information (PII)
- Unauthorized access to devices /data Spam messages
- Financial loss
- Malware attack
- Account Hacking
Various Smishing Techniques
- Sending a link that triggers the downloading of a malicious app The example message prompts the user to enable banking facilities. In Smishing campaigns, these kind of messages linked towards apps are often designed to track keystrokes, steal identity or even control of phone to hackers, or encrypt the files on phone and hold them for ransom.
- Linking to information-capturing forms in the same way as email phishing campaigns aim to direct their victims to online forms where their information can be stolen, this technique uses text messages to do the same. Once a user has clicked on the link and been redirected and the information shared can be read and misused by fraudsters.
- Messages with Warning signs which need immediate action: Smishers entice their target with highly personalized and emotionally targeting bait text messages. It is important to know that these smishers sometimes target users by collecting basic information about them to make user trust them.
- Referrals to tech support. Again, this technique is a variation on the classic tech support scam, or it could be thought of as the “vish via smish.” An SMS message will instruct the recipient to contact a customer support line via a number that’s provided. Once on the line, the scammer will try to pry information from the caller by pretending to be a legitimate bank representative.
How to identify & respond to Smishing Messages
Smishing can be difficult to spot, particularly if it’s someone who would normally contact user by text.
- Message Alerts from Unusual Numbers
Legitimate text messages from bank are often sent from a 6-digit short code (for example: QP-SBIPSP ). If user receive a text message from an unidentified 11-digit number, the chances are high that it’s a scam.
So, even if they identify themselves as from bank, insurance agent, etc., one should verify the code from which the message was sent.
- Warning messages of deactivating the services:
These messages are usually crafted to attack emotions by warning the contacts that their account has been deactivated or locked. If user call the number, respond to the text message, or supply account information.
should be suspicious towards urgent security alerts and user-must-act-now messages as warning signs of a hacking attempt through SMS.
- They insist to transfer money right away.
Scammers pressure people into transferring money because it’s like sending cash once it’s gone, user can’t trace it or get it back. Imposters encourage using money transfer services so they can get user money before victim realize, they have been scammed.
Many legitimate messages from bank will be marked “urgent” particularly those related to suspected fraud, but any message with a deadline should be treated with extreme suspicion.
Security Tips to avoid smishing:
- Never click on any link in SMS, WhatsApp messages etc.,
- Type the website address in browser manually or copy paste the link if its correct website address.
- Always check the link before clicking. Hover over it to preview the URL, and look carefully for misspelling or other irregularities.
- Enter username and password only over a secure connection. Look for the “https” prefix before the site URL, indicating the connection to the site is secure.
- Be cautious about opening any attachments or downloading files received regardless of who sent them.
- Use antivirus, antispyware and firewall software (update them regularly too).
- If receive any suspicious message do call a company to confirm if it is legitimate or not.
- Do use a separate email account for things like shopping online, personal etc.
- Enforce multi-factor authentication (MFA).
- Keep anti-malware and anti-virus software up to date.
- Keep software and firmware regularly updated, particularly security patches.
The government portal www.cybercrime.gov.in portal is an initiative of Government of India to facilitate victims/complainants to report cybercrime complaints online. This portal caters to complaints pertaining to cybercrimes with special focus on cybercrimes against women and children.
The victims may either log into website or call the cyber-crime helpline number 1930 to file a complaint. The complaint registered on this portal are dealt by law enforcement agencies/ police based on the information available in the complaints.
- National cyber-crime helpline number is 1930.
- Portal is : https://www.cybercrime.gov.in/