What is Smishing? How Scammers Use SMS to Steal Your Data.

Smishing is a specific type of phishing that supposes using SMS services. Same as classical phishing, it aims at stealing the confidential data of the victim.

What is Smishing? Examples, Protection | Gridinsoft

What is Smishing?

October 03, 2022

SMS in 2024 look like a completely obsolete method of communication. However, this rarity is handy for racks. They manipulate the fact that people are prone to believe and react to the things they receive in SMS.

Today's statistics show that users read 98% of text messages and respond to 45% of messages. Similarly, messages sent via email are read by only 20% of users, and only 6% respond. Thanks to this misguided trust in text messaging, smishing has grown in popularity by more than 300% over the past couple of years. Now, we will look at what kinds of smishing attacks there are, how they work, and some tips to avoid smishing attacks.

How does smishing work?

Typically, cybercriminals use malicious links and malware to carry out their attacks. Let's take a look at how hackers conduct fraudulent schemes. This will help avoid them in the future:

  • 1️⃣ The attacker sends a text message using social engineering to make the victim believe that his message is legitimate.
  • 2️⃣ The victim transmits personal information (logins and passwords, for example, ) or clicks on a link that leads to a phishing or infected site and enters its personal information there. Sometimes, the text message may be a request to call back to a specified number to clarify the details. There may be a charge for such callbacks.
  • 3️⃣ The hacker uses the information he obtains for fraud or to sell the data on the Darknet.
Example of Smishing

These days, people have become much harder to trick. They rarely believe in large prizes for nothing and are doubtful about disclosing their payment data. Therefore, crooks are forced to opt for more sophisticated (, i.e., more realistic) fraud schemes.

Types of smishing attacks:

Financial services smishing scams

Each of us uses the services of one bank or another, and everyone remembers the confirmation codes that the bank sent us by SMS. With the advent of official applications for banks, these confirmation codes have migrated to these same applications, and the need to send SMS significantly decreased. Unfortunately, some scammers pretend to be legitimate banking institutions to force the victim to compromise confidential data, such as phone numbers, passwords, and insurance numbers.

Confirmation smishing scams

Like the previous variant, in a confirmation scam, the hacker sends the victim a message asking him to confirm something. Be it an upcoming meeting or confirmation of an order (even if the victim didn't make the order). Sometimes such messages contain a link leading to a phishing site that asks for confidential data to confirm the purchase.

Customer support smishing scam

The scammer sends messages posing as a well-known company to gain the victim's trust, then reports a problem with the account. The scammer then solves the problem (usually a link to the same phishing site where the victim enters their confidential data).

Gift smishing scams

Have you ever received an SMS with congratulations and a text like "You have won a huge sum of money" or "Your distant relative has left you a large sum of money as an inheritance"? Usually, they are nonexistent winnings, but to get them. The victim is suggested to follow a link and confirm their data to receive a prize.

COVID-19 smishing scams

Sometimes, scammers pretend to be medical or government agencies and demand money from the victim for providing certain services. Some such apps are even available on Google play, but they are often distributed through unofficial app stores. Also, not uncommon cases when scammers on behalf of medical institutions send an SMS with the text "get your covid payment" and ask to enter bank card data (with CVV code) or "watch for covid statistics for areas of your region" and a link to the site where the victim is required to enter their data such as full name, address and phone number.

Typical smishing attempt related to a COVID thematics

Signs of smishing

Listed below are the main signs of smishing. Knowing them can significantly reduce the chance of being tricked by this attack.

SMS from a suspicious phone number

A standard phone number consists of a certain number of digits, and each region has its code with which the number begins. If you receive an SMS from an unknown number, which differs from the numbers in your area, treat this message with suspicion. It is likely a potential threat. Almost always, this is accompanied by links to phishing websites designed to steal your confidential information. If an SMS from an unknown sender contains a link, never click on it. Even if the site address looks real, it's a fake.

Urgent requests

Many phishing emails or SMS contain urgent requests that need to be answered as soon as possible, such as "limited offer" or "until the end of the promotion..." or "urgently click and take." Of course, any official company will warn its customers in advance or calmly notify them of anything. Delete such a message, and to be sure, you can call that company to clarify.

Money requests

Some scammers openly write and ask for money. They may introduce themselves as your relative and ask for medical treatment or write that your relative was in an accident and urgently needs money to resolve issues. Please do not fall for it. They are scammers. Just delete the message.

Prize notifications

Many people have participated in the lottery. Everyone knows very well that the chance of winning the lottery is tiny. And to win in a lottery in which you have not participated in principle is almost zero. If you receive an SMS about winning a lottery but have not participated in it, do not follow the links and do not open any attachments if they are present. You risk becoming a victim of a malicious attack and infecting your device with malware.

How to prevent Smishing and What to do if you become a victim of smishing?

To avoid unpleasant consequences, remember a few simple rules:

  • Do not reply. Sometimes, in the message, they write "send a stop to unsubscribe" This is done to ensure that the number is active and they can start/continue the attack. Ignore such emails.
  • Slow down if a message is urgent. If you receive an SMS asking you to respond as soon as possible, don't rush. Treat the message with a degree of caution and skepticism. Do not panic.
  • Never give your password to anyone. Bank employees NEVER ask users for their passwords. Also, don't send sensitive data such as passwords in plain text. Enter passwords only on official sites. Look carefully at which site you go to. Hint: Today, absolutely all official sites use the secure HTTPS protocol. If you are on a site that uses HTTP instead of HTTPS and asks for any confidential data - leave that site.
  • Use antivirus software. Usually, such messages lead to a site that may contain malicious software. However, comprehensive antivirus software can prevent malware infiltration at the download stage.

If you've already been a victim of smishing, follow these steps:

  • Contact the company whose service it happened to and report the incident. They will have the list of actions for such a situation and will instruct you on the actions you must apply to minimize the effects.
  • Block your bank card whose details you disclosed. If you don't do this very soon, your card may be charged for services you didn't buy.
  • Change your passwords and account pin codes. Set another secure password so that hackers, knowing the previous one, won't be able to get a new password.
  • Use Multi-Factor Authentication (MFA). Using a complex password increases the level of security but does not guarantee complete security. It can be stolen or compromised, as well as the human factor. Using two-factor authentication allows you to protect your account if your password is leaked to fraudsters. To log into your account, you need to enter an additional security code, which can come in SMS confirmation or in a special application that generates these codes.

Each step is important to your defense after an attack. Also, reporting an attack helps you recover and keeps others from attacking.

Frequently Asked Questions

What is difference between phishing and vishing?
Phishing mainly refers to scams that involve email attacks. It involves various methods, including the theft of credit or debit card data, sensitive banking information, login credentials, etc. Vishing involves verbal communication throughout the entire fraud process. Thus, vishing attacks most often occur through phone calls. When attackers fail to contact their potential victims, they often leave voicemails and messages that convince them to return as soon as possible.
Is it OK to open a text from an unknown number?
They say if you type or even answer like "wrong number," the bot will continue to send you questionable things in order to steal your information. The best direction we can give you is don't contact it, don't even respond. Just delete it. Avoid clicking on any link in an unknown text message or e-mail. However, if someone gives you a hard time, you can take a screenshot of the text and share it with local law enforcement.
Can you get virus from opening a text?
Simply opening and reading a text message will not infect your phone. However, you can get malware if you follow a link to a compromised website or, even worse, download an infected attachment. Text messages are just one-way criminals trying to convince people to download malware. When in doubt, don't download unknown attachments or click on strange links, and delete messages containing them from your phone.
Why am I getting so many spam texts all of a sudden?
If you receive spam texts, someone is more likely interested in you (or your information). And whoever is sending you a spam text message is trying to gain access to your personal information. These could be bank accounts, passwords, social security numbers, online identifiers, etc. Spam messages don't come from another phone. They usually come from a computer and are delivered to your phone using your email address or instant messaging. Accessible to the sender!
What happens if you text back a spam number?
Accidentally or intentionally replying to spam messages is never a good idea. Responding to spam texts can be very tempting to get back at the spammer. They waste your time sending you spam texts, so why not reply and try to waste their time? However, the laugh you get from a silly conversation with a spammer may do you more harm than good. Any response to a spam text message lets the spammer know that your number is active. What happens next? They can resell your phone number to other spammers who can flood you with promises of gifts and product offers.