Title: What is smishing and how to prevent it

URL: https://www.infobip.com/blog/what-is-smishing-and-how-to-prevent-it

Definition: Smishing, similar to email phishing, is a type of SMS fraud where fraudsters send SMS messages to potential victims, pretending to be from legitimate companies, in an attempt to steal personal information or spread malware.

In 2022, the FTC reported that US consumers lost $330 million to fraudulent texts. Not just individuals are affected; a staggering 74% of organizations worldwide reported experiencing smishing. In 2023, the Bank of Valletta (BOV) was even held responsible for a smishing scam that led to its clients losing money.

This shows that smishing is one of the biggest threats to the mobile industry today. It's essential to understand what smishing is and how it works, but it's equally important to know how to prevent it.

If you're already familiar with smishing, you can skip right to the prevention chapter here.

## Smishing explained

Smishing has become increasingly popular among cybercriminals primarily because of two reasons:

1. **Users’ trust in SMS:** SMS messages can have up to 98% open and 45% response rates. Cybercriminals exploit this tendency to trust SMS to trick users into performing actions that compromise security.
2. **Email oversaturation:** Inboxes have become flooded with promotional offers and spam, making people more suspicious of emails, which in turn makes it a less effective medium for fraudsters.

### How smishing works

Effective smishing attacks rely on a recipient&nbsp;taking an action, such as clicking on a link in an SMS message that takes them to a fake landing page or submitting private information by return SMS.

An illustrative example of a smishing message.

Popular scam tactics include impersonating trusted brands&nbsp;or using multi-stage&nbsp;social engineering tactics&nbsp;that exploit harvested data or information, which could be anything from a name and address to an account number.

Scammers are also very good at adapting, unscrupulously using current events like the war in Ukraine or a crypto crash to legitimize their scams.

### Types of smishing attacks

There are broadly&nbsp;three types of smishing attacks, ranging from borderline-legal guerrilla marketing tactics to sophisticated multi-stage criminal attacks that can have a significant financial impact on victims.

<accordion>
<accordion-item title="1. Copycat marketing">
This involves businesses reaching out, pretending, or suggesting that they are a well-known brand the victim already trusts (also known as brandjacking). The victim is deceived into viewing a product or offer they would not have considered otherwise. While it is illegal to impersonate a trademarked brand directly, some companies bend the law by using branding and messaging like established businesses.
</accordion-item>
<accordion-item title="2. Malware attacks">
This type of attack is malicious but has limited sophistication. Recipients are fooled into believing the message is from a legitimate source, but the link they are encouraged to click on will download malware onto their device. This malware could infect the device and distribute itself automatically via the phone’s contact list. An example was the Flubot, which targeted Android devices and was designed to steal online banking details and other private data.
</accordion-item>
<accordion-item title="3. Fake landing pages">
This is the most brazen, sophisticated, and costly form of smishing. Fraudsters mimic messages from legitimate businesses to their customers, encouraging them to visit a fake landing page where they are instructed to enter personal information and login credentials. Criminals then steal these details and use them to access the real accounts. These landing pages use one-off or very short-lived URLs, which make them almost impossible to trace.
</accordion-item>
</accordion>

### Examples of smishing attacks

The one thing all smishing attacks have in common is a strong prompt for the recipient to act quickly. Usually, they offer something attractive or alert the recipient to something bad that could cost much or cause embarrassment if not done soon. The sense of urgency encourages victims to act immediately without giving it much thought.

#### You’ve won a competition! (that you never entered)

Starting on the less sophisticated (and less plausible) end of the spectrum, we have all received messages that promise an unexpected boost to our bank balances. These range from lottery wins to inheritances from unknown relatives or even Nigerian royalty. The carrot of a big pay day is often enough to make people drop their guard and click on a link or provide personal information.

You can see how old these types of smishing scams are just by the look of this screenshot. Source: Feds crack down on text-messaging spammers  (nbcnews.com)

#### Fake delivery notifications

This approach has grown in prominence over the past two years as more people shop online and retailers rush to roll out new SMS notification use cases. Fraudsters have quickly exploited this opportunity and created very realistic messages from retailers and delivery companies that flag ‘an issue with your delivery.’ They may ask the recipient to pay additional delivery charges or enter their login credentials to get more information about the problem.

Example of a smishing scam with delivery notifications from Royal Mail. Source: Typical online scams to look out for | Royal Mail Group Ltd

#### Fake bank messages

Ironically, one of the most successful smishing tactics is for fraudsters to mimic a message from a bank flagging unusual activity on the customer’s account. These messages are easy to copy as they follow a consistent format and as there are a limited number of retail banks, there is a high probability that recipients will recognize their own bank as the sender.

An example of a smishing message impersonating the Bank of America. If the user responds to the message, they might be in danger. Source: Fake or for real? How to know if a text from your bank is legit - CNET

The message will likely encourage the person to change their password to prevent any further fraudulent activity. Clicking on a link in the message takes the user to a&nbsp;fake login page&nbsp;where they are asked for their login credentials to change their password.

With these details, criminals have a window of opportunity to log in and transfer money from the account before the victim notices. Many banks are becoming wise to this tactic and incorporating 2FA checks when an account is accessed from a new device, or the requested amount goes above a certain threshold.

#### The mutual friend/colleague scam

This approach uses some very basic social engineering tactics to improve the effectiveness of the smishing attack exponentially. If a message includes the name and details of a person we know and trust, then we are far more likely to believe that it is legitimate.

All the scammers have to do is scrape victims’ social media accounts to find out who their close friends or business acquaintances are. They then use this information, perhaps by offering them a job, an unmissable business opportunity, or an invitation to an event that would be right up their street.

Example of a smishing message from a new "friend." Source: 7 Spam and Scam Text Messages You Should Delete Immediately (rd.com)

#### Fake social media alerts

People seem to lose their sense of perspective when faced with the possibility that there is an unflattering picture of them on the internet. A very successful tactic has been SMS messages that claim to be from a social-media Samaritan alerting the person about something they wouldn’t like: “You won’t believe the photo that John tagged you in on Facebook! Check this out….”

#### The donations scam

When a prominent event in the news occurs, such as elections, a natural disaster, a war, or a refugee crisis, scammers exploit it to persuade people to donate money or provide personal information that can then be used fraudulently.

An example of an SMS scam asking for political donations. Source: When the Campaigns Have Your Digits - The New York Times (nytimes.com)

## How to prevent smishing

Smishing prevention starts with mobile operators (MNOs), who can deploy various anti-fraud solutions to protect their networks against various types of SMS fraud. They play a crucial role in safeguarding the security of mobile users.

In Poland, for instance, there is a law called The Act on Combating Abuses in Electronic Communication (CAECA), which came into effect in 2023. It requires mobile operators to:

- block text messages that qualify as smishing
- block text messages purporting to be from a public institution (based on the name of the sender)
- block calls that conceal the caller ID from the end user

Not complying with these obligations could result in a fine of up to 3% of their revenue generated in the previous calendar year.

In the UK, leading telecom providers and the government are working together to combat fraud under the Telecommunications Fraud Sector Charter, through coordinated actions and solutions adhering to legal and data protection obligations. The actions defined by the charter include implementing additional techniques to block smishing:

NAB, an Australian bank, has also taken an active approach to combating fraud. It is placing the bank's phone numbers on the ‘Do Not Originate’ list to help reduce scam calls impersonating the bank. They have also added additional protections to reduce scam messages appearing in legitimate bank text message threads, making it difficult for scammers to replicate NAB's phone number.

### Recommendations for MNOs and businesses: implement anti-fraud solutions

Implementation of SMS firewalls is a crucial step in defense against smishing and other types of fraud. At Infobip, we already work with over 120 MNOs around the globe, helping them protect over 1.1 billion mobile users with an advanced SMS firewall that offers several key features:

- real-time blocking of malicious numbers and URLs, thanks to a continually updated database
- proactive threat detection using [machine learning](/glossary/machine-learning) to anticipate and prevent fraud attempts
- automated responses to identified threats, enhancing the speed and efficiency of our defense
- detection of [MSISDNs](/glossary/msisdn) that are not linked to “real customers,” facilitated by [SIM box detection](/glossary/sim-box-detection) that enables MSISDN reputation analysis

#### Read more in this customer story:

In addition to an SMS firewall, we employ a straightforward plug-and-play solution called Signals. This tool is particularly effective for OTP traffic, employing a combination of strategies to identify and halt fraud. Signals monitors for unusual patterns and behaviors, uses data analysis to evaluate risks, and leverages machine learning to block fraudulent traffic in real time.

### Recommendations for mobile users: stay vigilant

Here are some recommendations from the Federal Communications Commission (FCC) on how to protect yourself against smishing attempts:

1. **Avoid unknown links and numbers**: Do not click on links, respond to text messages, or call numbers that are unfamiliar to you.
2. **Ignore requests to stop messages**: Even if a message asks you to “text STOP” to cease receiving messages, it’s best not to respond.
3. **Delete suspicious texts**: Any text messages that seem dubious should be deleted immediately.
4. **Update your device**: Ensure that your smart device’s operating system and security applications are always updated to the most recent version.
5. **Consider anti-malware software**: For an additional layer of security, think about installing anti-malware software on your device.
6. **Use multi-factor authentication**: Implement multi-factor authentication to protect sensitive personal information, such as bank accounts, health records, and social media accounts.

## Other common questions about smishing

<accordion>
<accordion-item title="How did fraudsters get my mobile number?">
Victims of smishing attacks may rightly ask how their number fell into criminal hands. Unfortunately, there are all sorts of ways this can happen as we provide our mobile number to all types of organizations every day of our lives.

- **Data breaches**: When hackers gain access to an organization’s customer database, the information they steal could include anything from login and password details to addresses and mobile phone numbers. These people may not use the information themselves but sell it to other criminals who specialize in particular types of fraud. So customers of a [particular bank](https://www.infosecurity-magazine.com/news/us-bank-data-breach-impacts-15/) or [airline](https://www.msn.com/en-in/news/other/akasa-airline-suffers-data-breach-passengers-personal-information-leaked/ar-AA11cXd1) that suffered a data breach may find that months or even years down the line they start getting fraudulent messages once their number has found its way to a smishing specialist.
- **Bought lists**: Once a mobile number has fallen into the wrong hands it can be added to lists that are then bought and sold on the dark web by scammers.
- **Website scraping**: You may not know it, but your phone number may be listed in multiple legitimate places on the internet. Anything from old social media profiles, the websites of organizations or clubs that you once belonged to, or on third-party business directories. Fraudsters will use software that continually scans the internet looking for combinations of numbers that look like phone numbers and add these to lists to be sold on.
- **Saved form data on your browser**: Depending on your browser settings, when you fill out a web form the information that you enter can be saved in memory so that the browser ‘remembers’ your details the next time you fill out a similar form. If this data is not locked down by the browser, it can be found and extracted by malware that then transmits it to external third parties.
- **Random number generators**: Unfortunately, there really is not much that you can do about this. Mobile numbers have a consistent length and format in most countries, so it isn’t difficult for software to generate vast lists of potential phone numbers that can then be verified by automatic dialers. Do you ever get random calls that ring just once? That could be the dialers checking if your number exists.
</accordion-item>
<accordion-item title="What are the differences between phishing, smishing and vishing?">
The main difference between phishing, smishing and vishing is the channel used to perpetrate fraud (email, SMS, or voice). Here is an overview of each type and how they differ:

- **Phishing**: A cyber attack where attackers impersonate legitimate organizations to trick individuals into revealing sensitive information, such as usernames, passwords, and credit card numbers. The ‘bait’ message is typically delivered via email. Examples include [MetaMask and Paypal scams in 2023](https://consumer.ftc.gov/consumer-alerts/2023/05/those-urgent-emails-metamask-and-paypal-are-phishing-scams).
- **Smishing**: The SMS equivalent of phishing. The 'bait' message is delivered by SMS rather than email. This means that the receiving device will most likely be a mobile rather than a PC, so any malware included in the attack will be designed to infect a mobile device and spread via the phone's contacts. For example, [Apple iPhone users](https://www.forbes.com/sites/kateoflahertyuk/2024/03/28/new-iphone-password-attack-warning-issued-to-apple-users/?sh=5a1b08f61028) are being targeted regularly. Also, smishing messages will be delivered via the mobile network rather than the internet, so a different set of security solutions have to be put in place to combat attacks.
- **Vishing**: The voice equivalent of phishing. In fishing attacks, fraudsters use phone calls or voice messages pretending to be from reputable companies to trick individuals into revealing personal information or data. A [2023 attack on MGM Resorts](https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware) is an example of this.

Each of these fraud methods represents a different approach to the same goal: tricking individuals to steal their money or data.
</accordion-item>
</accordion>

## Conclusion: Securing mobile networks is paramount in the fight against smishing

The rise in smishing attacks will erode confidence in SMS, causing individual users and brands to move away from this channel. This will reduce revenue opportunities for players within the messaging ecosystem, all of which have a part to play:

- mobile operators need to adopt solutions to help safeguard their network
- CPaaS providers need to use clean routes and leverage their capabilities to block fraudulent traffic
- businesses need to avoid using [grey routes](/glossary/what-is-an-sms-gray-route)

Mobile operators bear a significant responsibility as they are the first line of defense against fraud. By protecting their networks, they can prevent these fraudulent messages from reaching users in the first place.

To do so, they need to collaborate with vendors capable of providing advanced anti-fraud solutions. With this, they not only safeguard their customers but also ensure the sustainability of their business revenue from A2P SMS in the long run.

This blog was originally published on August 31st 2022, and last updated on April 15th 2024. Updates include adding various examples of smishing attacks, and a new chapter on smishing prevention.

#### Learn more about Infobip's anti-fraud solutions

Talk to an expert

#### You might be interested in:

## Get the latest insights and tips to elevate your business

By subscribing, you consent to receive email marketing communications from INFOBIP. You have the right to withdraw your consent at any time using the unsubscribe link provided in all INFOBIP’s email communications. For more information please read our Privacy Notice