Smishing – phishing via text message on your smartphone
More and more frequently, users are being sent messages via SMS, WhatsApp or other text message services prompting them to click on a link. This is what we call “smishing” – a term coined from the words SMS (short messages) and phishing (theft of access details via fake messages). While most people are familiar with phishing attacks via email, they are unaware that the same danger is lurking on their smartphone.
The aim of smishing attacks is to steal personal data and use this information for fraudulent purposes at a later point in time. Similar to phishing, this type of data theft often involves the use of fake messages. The only difference: this cyberattack is not carried out via email, but instead via SMS or messenger services such as WhatsApp. The nasty thing about it: smishing attacks are extremely clever, meaning that anyone can get caught out.
Many users these days are aware of phishing and treat their email inbox with a healthy degree of suspicion. Spam filters from email providers are also a useful tool for preventing phishing attempts. However, many smartphones generally lack this automated protective mechanism. Recipients often tend to view senders of SMS or text messages as trustworthy and don’t think twice about opening these messages.
On top of that, everything is that little bit smaller and faster on your mobile – you’re on the move, are easily distracted and are much more likely to react to a message. And as a result, you fall right into the hands of the smisher aiming to provoke exactly that kind of response, e.g.:
- Disclosing personal data for online accounts (identity, Apple ID, financial data etc.).
- Clicking on a link that downloads malware to your device.
- Purchasing a subscription.
How smisher proceed
The methods are generally similar to phishing via email: fear is frequently used as a means of applying pressure. The messages often warn you that certain login details are blocked or that the account in question has already been hacked. In many cases, however, they contain requests to reset passwords, information on authenticating accounts, prompts to update user data or even information about parcel deliveries.
One of the most common methods of smishing involves using brand names or names of reputable companies with links that supposedly take you to the website of the company. Typically, an attacker will tell the user that they have won some money or include a malicious link purportedly enabling them to track packages.
Users are therefore provoked into taking swift action to prevent any unpleasant consequences. Unfortunately, the text messages also seem very authentic.
«Users are provoked into taking swift action. »
- Don’t allow yourself to be put under pressure and take a proper look.
- Check the sender and give them a call if need be – but don’t use the phone number from the text message, instead use their official number.
- Don’t open documents unless you trust the sender completely.
- Install the recommended updates on your smartphone.
- For Android users: install anti-virus and anti-spam software.
- Already clicked or entered information? Follow our recommendations under First aid for cyber accidents and make sure you report the message to the National Cyber Security Centre (NCSC)
- Delete the message.
Further information and examples on the topic (in German):Cybercrime Police
Additional information and tips on smishing (in German):Schweizerische Kriminalprävention
More information on cyber-insuranceiBarry – cyber-insurance