What Is Smishing and Why Is It a Problem?

By: Jon Roberts
July 27, 2022

Smishing is much like traditional phishing scams, except these messages are sent by text (SMS) instead of email. Typical smishing messages urge recipients to click on a link that scammers say will contain a survey, a prize, or urgent information about a bank account or credit card. However, that link’s true purpose is luring potential victims into entering login credentials or other sensitive information.

Smishing scams have become a big problem in recent years. More than 70% of IT professionals report that their organizations were targeted by smishing scams in 2021. And according to a recent FBI report, smishing cost Americans $44 million in 2021 alone.

Who Is Likely to Be a Victim of SMS Scams?

Anyone who owns a smartphone is vulnerable to smishing. Considering the number of smartphone users has shot up from 3.7 billion in 2016 to 6.3 billion in 2021, and it’s expected to reach 7.5 billion 2026, smishing scammers will have access to a growing number of potential victims.

Furthermore, while smaller organizations often don’t consider themselves to be a likely target of cybercriminals, scammers target organizations large and small and often prefer small organizations to larger ones.

How Smishing Is Easier for Scammers

Unfortunately, while individuals and organizations are growing more adept at spotting phishing schemes, smishing schemes can be harder to recognize for what they are. For example, one common way to identify a malicious link on a computer is to hover your mouse over the link to see its full URL. However, mobile phone browsers truncate the link’s address, so scammers have an easier time concealing fraudulent URLs.

Scammers can also take advantage of something called SIM Swapping, where information from a mobile phone’s legitimate SIM card is transferred to a scammer. Legitimate users often need to swap their SIM cards if they need to move their phone number to a different device due to a loss or upgrade. Unfortunately, while one might think large mobile phone carriers would be hard to fool, criminals can often gather enough publicly available information about their victims to trick them into transferring a victim’s SIM into the wrong hands.

If a scammer successfully gets access to a victim’s SIM card, things can escalate pretty quickly. All calls, texts, and other data will be automatically diverted to the criminal's device. Next, criminals can send “Forgot Password” or other account recovery requests. Using two-factor authentication, they’ll be able to gain access to all online accounts associated with the victim’s phone number, including bank accounts.

Unfortunately, SIM swapping is also on the rise. The FBI reported 1,611 incidents of fraudulent SIM swaps in 2021; total losses were over $68 million.

How to Stay Safe From SIM-Swapping, Phishing, and Smishing Scams

First and foremost, if you ever suddenly lose access to your email account, or receive a message from your mobile phone carrier telling you that your device was changed and you didn’t authorize the request, contact your carrier immediately and update your passwords, beginning with any financial accounts.

However, online security has a lot in common with other risks, in that an ounce of prevention is worth a pound of cure. While multifactor authentication is better protection than a password alone, multifactor authentication that uses an authenticator app instead of relying on text messages or voice calls is much safer.  Additionally, the same practices that can help you avoid falling victim to phishing attempts or other scams can help safeguard you from smishing scams.

Watch out for messages that include the following:

  • Offers that sound too good to be true, like prizes, gift cards, or loans
  • Spelling or grammar errors
  • Requests to confirm sensitive information
  •  Alarming notifications regarding your credit cards or bank accounts that urge you to act quickly, before you’ve had a chance to think
  • Anything else that doesn’t feel right

Scammers are getting better at avoiding spelling and grammatical errors, and some smishing attempts are far more stealthy than others. So it’s important to be suspicious of links sent via text, email, or chat, no matter what those links promise or who has sent them. When in doubt about a particular link, take the extra time to navigate to the website directly. Remember to always think before you click.

Some of this advice may seem obvious, but when people are tired, distracted, or flustered, they’re more likely to make poor decisions. Additionally, most people are overconfident in their ability to identify scams and therefore are less likely to be on their guard.

Security Awareness Training Can Help

While employees represent an area of vulnerability regarding smishing and other related scams, regular training can help organizations mount a much better defense. Marco has partnered with KnowBe4 to provide sophisticated end-user security awareness. The platform has delivered incredible results in reducing the percentage of staff members who are susceptible to scams.

As phishing, smishing, and vishing (voice phishing) attacks continue to rise, this type of training is certainly timely. KnowBe4’s user-friendly platform makes it easy for your organization to see where your staff is vulnerable and how ongoing training can reduce their risk quickly. KnowBe4 Logo-Color-SM

Every organization is different, and what works best for one may not be suitable for another. If you’re looking for ways to improve your organization’s cybersecurity, Marco’s experts are available to make custom recommendations based on your organization and its goals.

Learn more about a Cybersecurity Assessment Get Started Today

Topics: Security