SMS Phishing which has been given the nickname, smishing, is a form of phishing attack that is dispersed via text message. Smishing attacks appear to be a text message from a reputable source that prompts people to reveal personal information or open a malicious link from a message.
Here is a Q&A with NXTsoft's Chief Technology Officer, Will Blackburn to better understand the gravity of smishing.
1. What makes SMS phishing so dangerous for consumers?
Everyone is now used to getting notifications via text messaging. From their bank, their cellphone company, as login codes, etc. In addition, you never know the phone number the messages are coming from, so it's difficult to verify the sender. Lastly, links are often shortened in text messages meaning you do not know where you will be going when clicked. This trifecta makes smishing very dangerous and it is no wonder why it is used so often today by bad actors.
2. What risks does smishing pose to businesses and organizations?
Businesses are at the mercy of their employees as they face this attack constantly. Attacks will come to personal & work phones alike to attempt to gain access to work emails & services or gain information that can be used in a follow up attack.
3. What traits, if any, do successful smishing messages or campaigns share? (i.e., what makes smishing messages successful?)
The two main traits are relevance to the recipient and, or a convincing hook to get the user to the next stage. First, successful messages are relevant to the recipient by mentioning services they use. For example, if your bank is National Bank and the message is for First Bank, you will likely not be fooled. Secondly, a convincing hook is found on successful smishing attempts. Often times, some information will not be revealed until you click the link. For example, a message may say "Your package has shipped", but it will leave out information about where the package is from until you click the link.