Short message service (aka SMS or, more commonly, texting) is such a wonderful thing for people living in a busy society. Unfortunately, like most technology services, sophisticated hackers now use text messages for a type of scam called SMS spoofing and its more dangerous variant, smishing.
These types of scams are on the rise, and in order to avoid them, it’s important to first understand what they are, how they work and signs that you’ve received them.
What is SMS spoofing?
SMS spoofing is the practice of sending a text message that masks the true identity of the sender, said Tim Prugar, vice president of operations at Next Caller, a telecommunications company that specializes in fraud detection.
Smishing—a mashup of the words “sms” and “phishing”—is “the practice of using text messages to socially engineer a recipient into giving personal information to a fraudster,” Prugar said.
These types of scams are growing more common as more businesses are using SMS as a source of communication with customers. “It can be very difficult for the average customer to identify the difference between a reputable business reaching out and a highly sophisticated smishing attack,” Prugar said.
The FBI reports that smishing and other variants of phishing scams were the third-most common online crimes, according to the 2017 Internet Crime Report. It probably doesn’t help there are so many legitimate commercial spoofing providers available these days. Google “SMS spoofing providers,” and you’ll find plenty of resources to easily and legally disguise your number in a text message.
How SMS spoofing and smishing work
SMS spoofing is as simple as downloading and using an app that allows you to spoof text messages, Prugar said. While there are plenty of legitimate uses of spoofing—like a business that alters its number through an automated process to send a valid text message—the term is typically associated with fraud.
Smishing occurs when hackers send spoofed text messages to trick recipients into supplying sensitive information for nefarious reasons. “Since people tend to trust text messages more than emails, this can be a nasty and devious way to scam people,” said Dave Hatter, cybersecurity consultant with Intrust IT. “In most cases, mobile devices have less security than traditional PCs.”
For example, more than 100 customers of Fifth Third Bank lost a total of $68,000 through a 2018 smishing attack. The criminals sent victims text messages that said their accounts were locked but could recover their funds by clicking on the provided link. The link led to a fake Fifth Third Bank page, which asked clients to enter their bank account usernames, passwords and PINs—which the thieves used to drain their accounts.
Hackers can purchase a database of phone numbers, then use software to send fraudulent text messages to people in the hopes of landing a “phish.” That’s someone who gives up PII (personally identifiable information) or is willing to send money, Hatter said.
How to protect yourself against smishing scams
Be wary of incoming messages from numbers you don’t recognize or from businesses that haven’t texted you before, experts advise. Here are some other tips to avoid smishing scams:
- Install antimalware software on your device. This will help keep harmful texts at bay as long as you keep it updated, Hatter said.. Never install apps that are sent via text message; only install them from a legitimate app store.
- Use a strong, unique password for every site, app or platform, and use two-factor authentication whenever possible. Two-factor authentication—which is a way of confirming your identity with two measures—gives an added level of security beyond a password.
- Question any link sent via text. Long links sent via text can easily hide the true destination of the site (as with the Fifth Third Bank scam), said Todd Morris, CEO of BrickHouse Security. If you receive a link via text message that you believe is legitimate, then open a browser and type in the URL yourself, Morris suggested.
- Verify phone numbers sent in texts before placing a call. If you’re asked to call a number through a text message, Prugar suggests going to the company’s actual website to verify that the number is valid and reputable. You can also use a reverse phone lookup service to find out more about a number you don’t recognize. Along those same lines, Hatter said to be wary of any message that doesn’t come from an actual phone number, such as a “5000” or “4004-04” number.
- Avoid sharing any information at all via text. “Any private information you provide can be used for a more targeted social engineering attack,” said Morris. For example, a scammer might send a text to the CEO of a company that appears to be from the CFO, asking for the name of the new vendor. If the CEO replies with the name of a valid company, the scammer can easily use smishing or email spoofing technology and message the accounting department. From there, the scammer could ask for wired funds or more.
- Learn the common themes. Smishing messages tend to have a sense of urgency crafted to get people to respond. “The most effective smishing scams use urgent/important language to get you to act before you think,” Morris said. For example, a message such as “Account closed and transfer of funds approved; click to cancel” is likely a scam.
- Don’t respond to numbers you don’t know. If you receive a message from a number you don’t recognize, never reply, and don’t try calling, as this will only confirm to the hackers that your number is legitimate, Hatter said.
A little caution can go a long way toward protecting yourself from smishing attacks. When all else fails, remember to “dance like no one is watching, but secure your info like everyone is,” Morris said.