For most of us, not a day goes by without one of these fraudulent texts appearing on our phones; some clearly fake, but others much more professional and persuasive. Businesses, health providers, and governments are also harmed by smishing, not just financially but also reputationally because the fraudsters use (that is to say, abuse) reputable brand names to perpetrate their crimes.
Fraudsters are persistent because smishing works. Europol recently rounded up 59 scammers who were using stolen credit card details to purchase luxury items. Smishing is at the mobile heart of a payment fraud apparatus which in 2021 caused global eCommerce to take a $20 billion hit.
The best way to frustrate the fraudsters is to identify their false messages, and to always be on guard. In this blog we describe how you can do that, and so prevent yourself or your company from being “smished”.
Phishing, Vishing or Smishing
The term “smishing” is a mash-up of SMS and the more familiar cyber scam of “phishing” where fraudsters use emails to cast their bait of false information. If the mode of attack is a voice message we refer to it as “vishing”.
Whereas phishing is a scam that originated in the PC era, smishing and vishing are responses to the dominance of mobile communications and they are now increasingly prevalent. It is estimated that SMS attacks rose more than threefold during the first wave of Covid lockdowns in 2020, reflecting the opportunism of the fraudsters.
It’s not just individuals who are being targeted. The financial forensic experts Kroll reported that in 2021, 74% of companies were exposed to smishing, compared with 62% in 2020.
The rise in smishing attacks simply reflects the way we live now. We organize and record our lives on our smartphones, so this is where the fraudsters thrive.
What are the most common examples of smishing?
With the lockdown measures during the pandemic, there was a huge increase in “delivery scams” with texts supposedly from trusted brands urging users to click on a link to complete a purchase or reschedule a delivery.
Fraudsters were extremely cynical in their exploitation of the Covid tragedy by telling people that they had been exposed to the virus or by claiming that they were entitled to certain Covid relief grants.
The isolation people felt made them more susceptible to “classic” scams such as fake bank messages. In 2020, the UK tax authorities received an astonishing 864,000 referrals of suspicious text messages; more than half a million offered bogus text rebates.
What all these smishing scams have in common is the sense of urgency with which they want us to act before we’ve had the time to recognize them as fakes. This is the first telltale sign you should ignore and delete the SMS. But there are other ways to prevent being a victim of a smishing attack, and we shall conclude by looking at those.
How to prevent smishing
There are some basic tips to observe to protect yourself from smishing:
If the SMS is unexpected, do not respond
Alerts from financial institutions have a verified sender ID identical to the name of the institution
Most smishing texts give the game away with random URLs, or non-secure URL addresses which tell you the site is unencrypted.
Embrace two-factor authentication (2FA) which will thwart the fraudsters even if your account has been breached.
While growing awareness of smishing should over time reduce the menace, fraudsters are always looking to piggyback off the latest technologies to devise new scams.
SMS is as a legitimate and highly effective marketing tool and companies tend to use bulk SMS providers such as CM.com. Because smishing scams are essentially a numbers game, CM.com accounts are appealing targets for the fraudsters – they can hide their identity and send messages at scale free of charge.
As such, CM.com account holders should:
Enable 2FA on their account
Never share their API-token, or show it on their website(s) to end users, not even in encrypted form.
Set limits to monthly credit amounts so in the event of a breach, the damage is limited.
CM.com is as determined to fight the smishing fraudsters as your telecom provider, your bank, and other targeted bodies, so if you suspect you have been a victim of fraud, contact the relevant organization as quickly as possible.