“Smishing” – an insidious type of social engineering scam that exploits text (or SMS) messages – is becoming a big business opportunity for scammers. An FBI report shows that more than 320,000 Americans were targeted by these schemes in 2021, resulting in $44 billion in losses.
Unfortunately, these attacks have only become more frequent over time. Data from a recent TrueCaller report shows that consumers face an average of 19.5 spam texts per month, a rate that has more than doubled over the last three years.
Smishing scams often begin with a text message that includes a fake survey, a notification that a person has won something, or an “urgent” message about a bank account or credit card. Those texts invite a consumer to click a link, call a phone number, or contact an email address that the attacker provides. Once the victim does that, the race is on. Victims are usually asked to share things like login credentials, account numbers, and other sensitive personal information.
The scam is used by cyber thieves worldwide. Back in 2017, smishers in the U.K. pretended to be associated with a local bank and stole more than $80,000 in inheritance money from a pregnant woman’s account.
Smishers target companies and employees
Businesses and their employees have become increasingly targeted by these schemes. More than 70% of IT professionals in a recent study reported that their organizations were targeted by a smishing scam in 2021 – an increase of nearly 10% from 2020.
Companies have responded by trying to train employees to not fall for these ruses. Unfortunately, those who don’t learn quickly could find themselves out of a job. One in four employees recently lost their job after falling for a smishing scam that compromised their company’s security, according to Tessian, an email security company.
Why are mobile phone cyber threats rising? The answer is simple, says Ian Matthews, the president and CEO of WMC Global. “Ninety-seven percent of Americans own some form of a smartphone, with over a quarter of younger Americans and those with income under $30K relying on smartphones for online access,” he told ConsumerAffairs.
“Because of the trend towards mobile phones acting as a consumer’s main connection point, text message open rates hover around 98%, while email open rates are only 20%. Threat actors know this and drive spam, scams, and phishing to messaging channels that are directly reaching consumers.”
One ploy that cybercrooks employ is tracking down the names of people in a company and sending a message while pretending to be someone that an employee would likely respond to, such as the company’s president. Those who respond to the message or carry out a request may wind up helping the scammer steal money or sensitive company data.
Another scheme involves using a credible-looking domain name. Because smishers know that mobile browsers may not display the full URL of a link, they create one that has just enough of the primary domain name in it to trick their victims into thinking that the link is legitimate.
When ConsumerAffairs looked at the possible domain names that criminals could use to trick a user with a real-looking URL, we found that there was no shortage of possibilities. For example, we could have bought GoogleSecurityAssistance.com for a penny for the first year on GoDaddy, DeltaAirTicketing.com for $5.99 for the first year on NetworkSolutions, and VisaCardProtectionNetwork.com on GoogleDomains for $12 for the first year.
No one is immune – not even ConsumerAffairs
Scammers who employ smishing techniques have pretended to be FedEx, Amazon, the IRS, and, yes, even us at ConsumerAffairs. As a too-close-to-home example of how cybercriminals try to worm their way into a company, ConsumerAffairs employees were recently targeted by a smishing scheme. In our case, the scammers used a profile of the company’s CEO – Zac Carman – to try conning workers.
“Hey, Ryan, I’m in a conference right now can’t talk on phone but let me know if you got my text. Thanks Zac Carman,” one message sent out to an employee read.
Daniel McConnell, an Information Cyber Security Engineer at ConsumerAffairs, said smishing attempts usually come in waves to multiple employees at the same time and that the majority are attempts to impersonate highly placed company officials.
“Usually, the texts request immediate action to invoke a sense of urgency and importance – something like ‘reply back now, it's very important’ or 'I'm busy and cannot use my normal means to communicate, please send me your XYZ info ASAP’,” McConnell said.
Matthews affirmed that ConsumerAffairs isn’t the only company being targeted by an executive impersonation scam. “It is one of the most crucial types of smishing to watch out for, [and is] designed to mimic communications from a company executive to members of staff,” he said.
Matthews added that it’s simple for scammers to use smishing techniques against companies because of personal data that is available online. When combined with sales and marketing tools that are publicly available, scammers can gather a lot of information about company officials and employees to send out a slew of smishing messages all at once. Matthews noted that an executive impersonation smishing attack will often ask employees to urgently purchase gift cards for a client and send images of the codes on the back.
SIM Swapping – the next big threat
So where are smishing attacks headed next? If you’ve never heard of “SIM Swapping,” you may be in for a rude awakening. As you’re probably aware, a SIM card is that tiny chip in your phone that connects your account at your service provider to your phone; it allows you to make calls and send texts.
In a SIM Swapping scheme, hackers collect personal details about their victim via information that is publicly available on the internet or has been exposed in incidents like data breaches. The attacker then calls the target’s phone carrier and pretends to be them.
Matthews says the hackers might say something like, “I want to move my number to this new device,” or “I lost my other phone.” If they’re successful at tricking the phone carrier, then it’s especially bad news for the victim. The carrier virtually transfers all the digital information contained on the victim’s SIM card to a SIM card on a device in the scammer's possession.
The scam works, Matthews says, because of the knowledge gained via the original theft. "They have the information a customer service agent asks for before performing the number swap onto a new device in the threat actor’s possession,” he explained.
Once the victim's SIM is swapped into the scammer's possession, they are truly in the driver's seat. They’re able to get all the victim’s calls and texts, as well as two-factor authentication SMS texts and one-time PIN numbers. With those in hand, the scammer can access social media accounts, app accounts, and even financial accounts.
Primary targets of this scam include people with valuable online accounts, like a social media account with a large following. When hackers take over one of these accounts, they can use it to send out more scam messages to people who follow the account. Since followers might view the profile as a trusted source, many of them may be less skeptical about clicking potential phishing links or providing their own personal information.
Matthews said most businesses luck out when it comes to SIM swapping scams because SMS messages are mostly used for two-factor authentication for personal bank accounts. However, that could change in the future.
“Personal devices are used for banking and corporate devices are usually not. However, now that this line is muddy, users will be confused as to who is responsible for protecting their device,” he said.
How consumers can protect themselves
As you can tell, smishing is a threat that requires serious attention from anyone who uses text messaging. To find out how consumers can protect themselves, ConsumerAffairs polled several cybersecurity experts to see what advice they had to offer. Here’s what they had to say.
Ian Matthews, President and CEO of WMC Global
Matthews says consumers should employ a healthy dose of skepticism when receiving unsolicited messages from services or other sources.
“If a message feels suspicious or too good to be true, it probably is,” Mathews told ConsumerAffairs. He laid out the common signs of a text message scam or smishing attack that users should familiarize themselves with. They include:
Incorrect spelling or grammar usage within the message itself or misspelled links or brand names. While some scammers may have a bad command of the English language, cybersecurity expert Joseph Steinberg points out that some scammers intentionally use bad grammar and spelling to avoid spam filters and to only get responses from people who are more likely to fall for a scam.
Unexpected free offerings. This can include prizes, gift cards, or small business loans.
Contact from government agencies or financial institutions that are looking to confirm sensitive information through a call or link sent by text. Consumers should rest assured that these agencies will never ask to confirm sensitive details through unsecured channels.
Brian David Crane, Founder of CallerSmart
Brian David Crane says consumers should take advantage of protection apps that are offered by major carriers to avoid falling victim to smishing scams.
He suggests that T-Mobile users download the ScamShield app, Verizon customers download the Call Filter app, and AT&T customers download the ActiveArmor app. ConsumerAffairs reached out to AT&T to ask about their app offering, and a representative said ActiveArmor blocks about 10 million fraud calls per day.
AT&T and T-Mobile also told ConsumerAffairs that they are ready to take on the vetting of any SMS message that a customer is concerned about. If you’re a customer of either of those carriers and get a suspicious text, you can forward the message to 7726 and it will go straight to the spam defense teams at those companies.
“If it is found to be a scam or illegal message, we can take appropriate actions such as blocking similar message content and block the number sending it, and even share the information with other carriers so they can also take action,” an AT&T spokesperson told us.
Yochai Corem, CEO of Cyberint
Yochai Corem says consumers should follow these three pieces of advice to avoid smishing scams:
Don’t follow links in SMS messages. Instead, surf directly to the website of the company or service being impersonated and log in there. Many companies no longer provide links in SMS messages, while some will provide information and request for users to log in to their accounts for further information.
Be aware that text messages with a sender name that’s identical to other SMS messages you received in the past may not be coming from the same source. Unless you are fully aware of the context of the message, do not trust them.
Pay attention to information disclosures regarding your number and where you publish your contact information. Try to subscribe only to “known” websites and services.
Ricardo Villadiego, Founder and CEO of Lumu
Ricardo Villadiego reminds consumers that smishing isn’t a game that they can win, no matter how smart they think they are.
“Do not engage with the SMS. Scammers are playing a game of emotional manipulation and are trying to reel you with things that interest you,” he said. “They’ll also try to grab your attention with ‘urgent’ matters such as someone falsely using your credit card. These scare tactics are trying to get you to act without thinking. Don’t fall for it.”