Detecting and Preventing Smishing Attacks

Phishing via Short Message Service (SMS) texts, known as smishing, is becoming increasingly common. There is probably not a person on Earth who does not get at least one smishing message a month. It is a big problem.

The Problem with SMS Messages

Unlike Internet browsers and email programs that display URL links, you cannot “hover” over a link to see what it really is or where it will take you. Links shown in SMS are often “shortened” links that lead to other links with no good way to inspect or filter them before you and your phone arrive at the final destination.

When In Doubt, Throw It Out

A good choice is to discard any unexpected SMS message with a link. Occasionally you may get valid SMS messages from vendors, but nothing that is an emergency that requires clicking on a link right away. Ninety-nine percent of the time, it is a spam or phishing attack, so it can safely be ignored.

Education Is the Key

You need to tell your employees (and family and friends) about SMS-based phishing messages. First, explain what SMS-based phishing is and give some popular examples (e.g., FedEx and Amazon messages seem very popular). Most people know about SMS-based phishing, but I guarantee a few people do not.

Second, teach them how to recognize a smishing attack and how to treat it. If the message is unexpected, is requesting something new for the first time from the sender, and if doing what the sender is requesting you to do could potentially harm you or your organization’s interests (i.e., they want you to provide confidential information or download a file), then slow down and investigate more before clicking.

SMS phishing is gaining steam. There is more of it than ever. We can expect smishing to get more mature and tricker as time passes. It is best to develop and teach good SMS URL inspection habits while you can.

Information used in this article was provided by our partners at KnowBe4.