Smishing is phishing via Short Message Service (SMS) on a participating device, usually a cell phone. Long neglected by phishers and spammers, smishing has recently become a very common way of spamming, phishing, and spear phishing potential victims. KnowBe4 has been covering and warning users about it and its coming rise for years.This blog post will cover why smishing is becoming so popular, show some general and more sophisticated examples, and discuss defenses.
What is SMS?
Short Messaging Service (SMS) is a popular text-based messaging service standard, which nearly all cell phones support. Already in widespread use by the 1990s, it is rare that a cell phone doesn’t support SMS, which originally only allowed a maximum of 140- to 160-characters to be sent in a single message to one or more other recipients using their cell phone numbers. The original message size limitation was due SMS’ reliance on an underlying phone protocol known as Signaling System No. 7 (SS7). Today, depending on the mobile network vendor and involved applications, SMS-based apps can send longer messages and more than simple text-based characters (such as emoticons, pictures, videos, etc.).
Why is Smishing Popular?
The biggest problem from a security perspective is that an SMS sender is not authenticated beyond attached phone numbers. Anyone receiving an SMS can only, at best, be assured at the phone number the SMS message comes from is accurate, and even that isn’t guaranteed. There are many rogue applications which allow senders to send SMS messages from spoofed or borrowed/shared telephone numbers.
SMS is unauthenticated, meaning anyone can send another person an SMS message by simply knowing the recipient’s phone number. And as long as that person hasn’t previously noted the number as a particular sender’s ID and stored it in their contact list, it will show up looking like any other SMS message without an authenticated name attached. I, and anyone else, can be anyone via SMS. A receiver might not believe the sender is the President of the United States (unless they already have a formal relationship with the President), but otherwise most people are susceptible to simply accepting that the SMS sender is who they claim to be.
Additionally, URL (Uniform Resource Locator) links sent via SMS are often harder to inspect for security issues without completely loading the web page the link points to. SMS URL links are often “shortened” to some innocuous-looking link that is hard to figure out where it ultimately links to. So, a URL link might say something like https://bit.ly/Y7acoe and when open, might redirect to something that looks like https://thisisabadwebsite.com/virus.php. Most smishing includes shortened URLs which are intended to hide the eventual destination.
Security people aren’t big fans of URL shortening services in general, but when paired with limited pre-inspection capabilities of SMS and lack of authentication, there are even more reasons to be skeptical. Users cannot “hover” over an SMS URL to find out where it ultimately goes to, and SMS applications don’t contain nearly as many anti-malicious controls as the typical browser does (although many times, SMS URLs are opened up in the user’s browser anyway). All-in-all, as our online world is increasingly becoming one conducted by cell phone, smishing is growing in popularity with attackers.
General Smishing Examples
Here are some general real-world smishing examples I’ve received on my personal cell phone recently.
1. Fake IRS Scam - This one is attempting to appear as if it's from the U.S. Internal Revenue Service (IRS).
2. Fake Order/Invoice Scam - I get a lot of these, where they appear to be responding to an order I have supposedly created. Most people, who have not recently created an order, would be curious about what company is supposedly claiming they have placed an order and be worried about whether they will somehow be charged or not.
3. Series of Fake SMS Order Messages - This sender of fake SMS order messages appears to resend from the same fake originating phone number, but claims to be different senders with different URLs.
4. Fake Google Verification Message - This fake SMS message might appear more realistic because it is using Google’s own URL shortening service (goo.gl).
5. Fake Gift Card Contest SMS Message - This one claims I’m a winner of a Walmart gift card, although they apparently have me mixed up with someone called Timoth.
6. Fake Hotel Stay SMS Message - This one almost tricked me. I travel for a living and I stay in a lot of different hotels. When I got this one, I just checked out of a new hotel. It was a fake SMS message though. The URL link led to a rogue pharmacy site where I could buy all the erectile dysfunction pills I wanted.
7. Fake Payroll Update Message - The following message was sent to multiple people in my previous company.
More Sophisticated Smishing Examples
Now, those previous fake SMS messages seem more like run-of-the-mill spam, although some tried to install malware on my phone. These next few examples show greater harm that can be done by using fake SMS messages.
Fake Technical Support Messages
Here’s how the attack goes:
- Attacker sends victim a fake text message, claiming to be from Google Gmail security support, and tells victim to expect a shortly-forthcoming recovery code via SMS from another phone number, which needs to be sent back in reply to the message. Below is an example of that type of message:
- The hacker then starts a login attempt at your legitimate service, but then acts like they do not know the right password (see example below):
- Then the attacker tells the service to send them an SMS “recovery code” (see example choices below):
- The legitimate recovery code gets sent from the service to the victim’s previously registered phone (see example below):
- The tricked user then sends that recovery code back to the originally requesting hacker (see example below):
- The hacker then takes the code and types it into the user’s legitimate service’s recovery code prompt that they initiated, gets authenticated to the account, and then takes control of it.
This is a very common type of phishing scam, although the scammer may claim to be from your bank, investment company, PayPal, airline, hotel company, or any other entity you have a membership and financial information with. In all cases, they will claim to have detected some sort of rogue activity or attempt, and claim to be saving you from the criminal activity. They will then claim to be sending you a code via SMS that you need to tell them to verify that “you are who you say you are”, and when you tell them that code (sent by your service’s legitimate automated recovery service), they take over your account. This type of scam is done thousands of times a day and can fool even the most skeptical among us.
Fake Customer Care Message
This one I blame on my own carelessness. I was upset about a fairly new refrigerator that I owned, which broke down three times in the first two years. I contacted the vendor’s Facebook site and posted my rant against their product claiming I wasn’t happy with my “lemon”, even though it was under warranty. Apparently, phishers lurk on public vendor support sites waiting for people like me to complain publicly. I immediately received a Facebook private message from a fake vendor support person claiming they were going to help me as well as a related fake SMS message the next day. I’m still not sure how they got my telephone number to send the SMS message, but I used to include my phone number in every email I sent for decades, so it probably wasn’t too hard to find.
Defenses Against Smishing
Although smishing is harder to defend against than regular email phishing attempts, there are defenses that can reduce the risk of successful attacks.
- Smishing Security Awareness Training: The key defense against smishing is security awareness training. Let your co-workers know about the increasing success of SMS-based phishing. Teach everyone about the overall threat and share common examples, along with how to avoid it and defend against it. Share this article as a good start. Telling employees to be suspicious of any unexpected SMS messages from unknown phone numbers is great first advice. Telling users not to respond to unexpected SMS messages, in any way, is a great defense.
- Users Should Report Smishing Attempts: Telling users to report rogue SMS messages to the security person or department is a good recommendation, so that person or department can be aware of the volume of attempts and the types of smishing being reported. A concerted smishing campaign against multiple employees can only be spotted and defended against if it is being reported to a centralized location. Recipients can also consider reporting rogue SMS messages to their cell phone network provider, so the provider can block future attempts from the same sending originator using the same information or method.
- Conduct Simulated Smishing Attacks: Just as you do with simulated email phishing attacks, also do the same with SMS. Send your co-workers a simulated SMS smishing test at least once a month. Provide immediate feedback and training to those who fail the tests. Make simulated smishing tests a part of your normal security awareness training routines. You can no longer afford to avoid training on this subject. Smishing is becoming too popular to ignore any longer.
- When in Doubt, Chicken Out: Tell co-workers and employees not to open short links arriving in unexpected SMS messages. If the employee is unsure about whether the SMS message is real or not, and they want to check by opening the link, they should only be opened in a controlled, safe environment, such as a resettable virtual machine image. That way, if the link points to malicious code, it won’t be executing and trying to exploit their device.
- Don’t Call Unknown Phone Numbers: The receiver of any unexpected SMS message touting a phone number they should call should never be called on the user’s personal phone. Most of the time, you can’t get exploited by calling any phone number beyond whatever sales pitch they may try on you, but simply calling them gives them your phone number. And once a scammer has your phone number, you can be assured that you’ll get many more rogue SMS messages and malicious voice phone calls (called vishing). If you feel tempted to call to see if the SMS sender is legitimate, call from generalized business number instead of your personal phone call.
- Don’t Publicly Post Personal Telephone Numbers: Most rogue SMS messages started because the attacker knew someone’s personal phone number. The online world is just too dangerous for people to be publicly posting their personal phone numbers anymore.
- Try to Avoid SMS Messaging: SMS is mostly unauthenticated. Try to use another chat application that doesn’t rely on SMS or requires other authentication. This defense is tough to do because nearly the whole world uses SMS; but decreasing your reliance on SMS decreases your risk.
- Rich Communication Services – Help Is Coming: An SMS-replacement called Rich Communication Services (RCS), has been touted as the answer to our security concerns. RCS is supposed to require better authentication and stop more default spoofing and phishing. At the same time, RCS is supposed to have many more features, and more functionality and security rarely help each other out. Still, the phone companies say RCS is our answer to all those rogue smishing messages. It can’t be much worse than SMS, so I’m for it whenever it arrives.
Overall, you want to create a culture of security awareness training and healthy level of skepticism around SMS messaging. Smishers are increasingly using SMS to conduct phishing and spear phishing attacks. Get ahead of the increasing problem by fighting and defending against smishing today. If you have any questions about smishing or defenses, please don’t hesitate to contact us!