Documents in Portable Document Format (.PDF) require Adobe Acrobat Reader 5.0 or higher to view. Download it now.
FDIC-Insured - Backed by the full faith and credit of the U.S. Government
Enterprise Bank
Online Banking
Enroll Now | Forgot password or PIN?
HomeResources

SMiShing

What is SMiShing?

As technology continues to advance at great speed, smartphone manufacturers race to provide more functions and applications to entice new buyers to purchase their products. Security is one element of these advances, whether it's passcodes, fingerprint scanners, or even facial recognition, all to make sure it's you accessing your phone. These new applications and functions seem safe, give you confidence and are great to use making your device more useful and a key asset in your everyday living. However, these advances are wasted if the user of the phone makes a bad decision.

SMiShing is a combination of the terms "SMS" (short message services, more frequently known as texting) and "phishing." SMiShing is a variation of phishing where you receive a fraudulent email asking you to click on a link or respond with a password. Instead, you receive an SMS message on your mobile phone rather than an e-mail. SMiShing is growing in frequency and sophistication. Often, mass text messages are sent knowing there is a likelihood that a small percentage will fall victim.

How does it work?

The mobile phone user receives an unexpected text message. This could pretend to be from your bank, a dating site or service provider such as a telephone company. All generally ask you to confirm payment details or take action on your phone via a website link they provide within the message. Many SMiShing messages appear to be from your financial institution; sometimes claiming there has been fraudulent activity on your account and will ask you to log into a fraudulent website or call a phone number set up by the attacker. These messages will have a sense of urgency, asking you to confirm a payment or provide account details or the service/payment will be cancelled.

Why is this type of attack becoming successful?

Texting is the most common use of smartphones. A survey by Tecks states that 15,220,700 texts are sent every minute, with Americans alone sending 1.5 trillion text messages a year. Whether from your supermarket or your car dealership, automated text messages are more common than ever. The more accustomed we are to automated texts, the more opportunity there is for cybercriminals to exploit that familiarity.

Most people are aware of the risks of email fraud, such as not opening links within emails that appear strange or unsolicited. You have probably learned to be suspicious of emails that say "Hi, check out this link, or find out more here" where it doesn't contain a written message from the real sender. Plus, we know we must protect our laptops and computers with the latest anti-virus and malware products to keep safe.

SMiShing takes advantage of the fact that people are generally more complacent and less wary of texts to their cellular/mobile devices. Many people wrongly assume that their smartphones are more secure than computers and are unaware of the potential risks.

Smartphone security has limitations and cannot directly protect against SMiShing. Android devices in particular remain a prime target for malware due to wide adoption as well as offering greater flexibility for custom applications. While this greater flexibility benefits its users, it also can benefit cybercriminals. According to an article in Forbes, Comparitech put 21 separate Android antivirus apps to the test over the course of many weeks. Some 47% of them failed in one way or other. Apple's iPhone generally has a good reputation for security, but even it is not SMiShing-proof.

Cybercriminals generally use two methods to steal data and critical information.

  1. They may trick you into downloading malware that installs itself on your phone. This malware might masquerade as a legitimate app, tricking you into typing in confidential information that is now accessible for malicious use by cybercriminals.
  2. Alternatively, the link in the SMiShing message might take you to a fake website where you are asked to type sensitive personal information that the cybercriminals can use to steal your online ID.

The cybercriminal also relies on the fact that you use your mobile device in a hurry, often when you are on the go, increasing the chance of you to responding/clicking a link in a message without thinking too much about it.

What types of information are the SMiShing Criminal After?

Essentially, they are after your personal data, which they can then use to steal money, access your personal accounts, or even access your company's information if you use your device at work.

More and more people use their personal smartphones for work called "bring your own device" or BYOD for short. Connectivity to a company network could enable cybercriminals to steal critical information or cause havoc to company operations by using your mobile phone as the entry point.

Examples of SMiShing attempts

We would all like to believe we are in line to receive a huge tax rebate! Scammers frequently masquerade as tax authorities, with messages quite often stating, "you are due a tax refund or need to provide some more information to receive this so the Internal Revenue Service can pay back into your account." Unfortunately, this is usually not the case and the cybercriminals are after your personal financial data to exploit it for their own financial gain or perhaps to sell on the black market.

You may think this won't happen to you, but the truth is the more accustomed we are to automated texts, the more opportunity there is for scammers to exploit that familiarity.

Protect Yourself

The following are some ways to protect yourself against SMiShing attacks.

  • Simply ignore unexpected or suspect texts from unknown sources. Understand that your bank will not send you a text message asking you to update your account information or confirm your ATM card code. If you get a message that seems to be from your bank, contact your bank using the number provided in your bank statements or checking account to alert them.
  • You should regard urgent security alers and "you-must-act-now" text requests as potential warning signs of a SMiShing attempt.
  • Never click a reply link or phone number in a message you are not sure about.
  • Look for suspicious numbers that don't look like real mobile phone numbers or check the numbers against your account statements or invoices to be sure.
  • Do not submit any personal information of any kind when requested to do so via text message.
  • Delete any suspicious messages without opening links.
  • If you have already entered your bank details after receiving a text message, contact your bank immediately and monitor your account to watch for any strange activity.
  • Do not give out any personal information to anyone claiming to be calling from your bank. Always hang up and call your bank using a known, verified phone number to check if they need to speak to you.
  • Do not answer or call back if you receive an unexpected call from an unknown international number.
  • Install anti-malware software on your phone when available.