Understanding SMISHING. The modern cyber threat

In today’s digital age, cyber threats are evolving rapidly, and one of the most insidious forms of attack is smishing. Derived from the terms “SMS” (Short Message Service) and “phishing,” smishing involves the use of deceptive text messages to trick individuals into divulging sensitive information or downloading malicious software.

What is Smishing?

Smishing is a type of social engineering attack where cybercriminals send fraudulent text messages to potential victims. These messages often appear to come from legitimate sources, such as banks, government agencies, or well-known companies. The goal is to manipulate the recipient into taking actions that compromise their personal information, such as clicking on a malicious link, providing login credentials, or downloading malware.

How Smishing Works

The attacker sends a text message that appears to be from a trusted entity, often containing urgent language such as “Your account has been compromised” or “You have a package waiting for delivery.” This message includes a link that directs the recipient to a fake website designed to steal personal information or install malware on their device. Once the victim enters their information on the fraudulent site, the attacker can use it for various malicious purposes, including identity theft and financial fraud.

Here are some recent statistics on the prevalence of smishing in the UK:

• In 2022, 86% of UK organisations reported experiencing attempted smishing attacks, the highest rate among global counterparts.

• In the fourth quarter of 2021, 50% of smishing lures in the UK were themed around parcel or package delivery notification.

• Smishing scams have had a significant financial impact, with robotext smishing scammers stealing $20.6 billion from victims globally in 2022.

These statistics highlight the growing threat of smishing and the importance of staying vigilant against such attacks. If you need more detailed information or have any other questions, feel free to ask!

Who are the targets?

Smishing attacks can target a wide range of individuals and groups, but some are more commonly targeted than others. Here are the most frequent targets:

• Individuals: General consumers are often targeted, especially those who may not be as tech-savvy. Attackers exploit the trust and urgency associated with text messages to trick individuals into revealing personal information.

• Employees of Organisations: Employees, particularly those in large organisations, are prime targets. Attackers may pose as IT support or HR departments to gain access to corporate systems and sensitive data.
  
  

• Customers of Financial Institutions: Customers of banks and other financial institutions are frequently targeted. Messages may claim to be from the bank, warning of suspicious activity or asking for account verification.
  
  

• Mobile Network Subscribers: Subscribers to specific mobile networks can be targeted with messages that appear to come from their service provider, often asking for account details or payment information.
  
  

• University Students: Students are targeted with messages that might appear to come from their university, offering fake scholarships, grants, or urgent administrative updates.
  
  

• Residents of Specific Areas: Sometimes, smishing campaigns target residents of a particular region, especially during local events or crises, such as natural disasters or public health emergencies.
  
  

Common Smishing Tactics

Attackers often impersonate banks, delivery services, or government agencies to gain the victim’s trust. These messages typically create a sense of urgency or fear, prompting the recipient to act quickly without thinking. Additionally, some smishing attempts offer rewards or prizes to lure victims into clicking on malicious links.

How to Protect Yourself

Be Sceptical

Always be cautious of unsolicited text messages, especially those that ask for personal information or prompt immediate action.

Verify the Source 

If you receive a suspicious message, contact the organisation directly using a verified phone number or website.

Avoid Clicking Links

Do not click on links in unsolicited messages. Instead, navigate to the website directly through your browser.

Use Security Software: Install and maintain reputable security software on your mobile devices to detect and block malicious activities.

Smishing is a growing threat in the realm of cybercrime, exploiting the trust and urgency often associated with text messages. By staying informed and adopting cautious practices, you can protect yourself from falling victim to these deceptive attacks. Remember, vigilance is your best defence against smishing.

If you think you may be a victim of a Smishing campaign, here's what to do...

1. Forward the Message: If you receive a suspicious text message, forward it to 7726 (which spells “SPAM” on your keypad). This number is free of charge and works across all major UK mobile networks.
   
   

2. Report to Action Fraud: If you believe you have been a victim of smishing or have lost money as a result, report it to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can do this online at Action Fraud or by calling 0300 123 20402.
   
   

3. Contact Your Bank: If the smishing attempt involved your bank details, contact your bank immediately to inform them of the potential fraud. They can take steps to protect your account.

By reporting smishing attempts, you help authorities track and stop these scams, protecting yourself and others from potential harm. If you have any more questions or need further assistance, feel free to ask!