Smishing—the combination of the terms “SMS” and “phishing”—is, according to IBM, “a social engineering attack that uses fake mobile text messages to trick people into downloading malware, sharing sensitive information, or sending money to cybercriminals.” Unfortunately, with new technology comes new ways to elicit information from end users.
The first “robocall”—automated phone soliciting—was documented in 1977. Robocalls were rebranded as “Dinner Hour Marketing.” This was when real people, not bots, would call landlines during dinner time to try and sell products or services.
With the introduction of emails, this type of solicitation quickly expanded. Yep, that’s right, we’re talkin’ spam. In fact, the first unsolicited email was sent by Gary Turk in 1978 to 400 people. As spam emails became more sophisticated, email phishing emerged. In the 90s, bad actors started sending emails disguising themselves as others to trick the recipient. Today, phishing attacks are highly advanced—email senders are disguised as businesses, employees, relatives, etc.
And now we’re back to the present day where these phishing attempts have breached messaging apps. So, what does a smishing attack look like? How do they work? Let’s explore SMS phishing a bit more to shed some light on this new type of attack.
SMS Marketing
We can’t talk about smishing without first talking about SMS marketing. With SMS marketing, brands can send customers texts sharing promotions, order updates, etc. So, as a result, people are starting to get used to text messages coming from unknown numbers with links to promotions.
There’s a catch, however. To receive marketing text messages, customers have to opt in and explicitly agree to get these types of messages. There also needs to be a way to opt out. Just as easily as customers can sign up, they can remove themselves from your SMS marketing list. That’s one way to distinguish between smishing and legit SMS marketing, but there are some other ways too.
What Does Smishing Look Like?
Smishing is one of those things that you recognize when you see it. At this point, most of us have probably experienced a smishing attack. When you open a text and think “Hm, this is a little weird” or “They probably have the wrong number,” it could be a smishing attack.
The goal of a smishing attack is to try to get some information from the recipient. So, generally these messages ask the user to complete some sort of next step. Whether it’s clicking a link, responding with a password, or sharing your name, the scammer is looking to collect data that helps them access protected information. These attacks can be incredibly sneaky as the sender can disguise themselves as a brand or a person and it’s hard, as the recipient, to ensure the sender is who they say they are.
And, as IBM points out, “It’s also harder to spot dangerous links on cell phones. For instance, on a computer, users can hover over a link to see where it leads, but on smartphones, they don’t have that option.”
Take this text from an unknown number, for example. I received this message around 3:30pm on December 19th (conveniently right before I wrote this post) while sitting on my couch. My first thought was, “What did I order?” Then, “Wait, what’s Tabit?”
After some research, I learned that Tabit is a POS system for restaurants. So, one of two things could have happened: someone who actually was at a restaurant accidentally used my phone number when placing their order or someone is disguising themselves as Tabit to try to get recipients to click on the attached link.
Either could still be possible but, to play it safe, I didn’t click the link.
How to Combat Smishing
With sneaky senders, it’s hard to know what’s smishing and what’s not. So how are we supposed to know? From personal experience, it’s better to be suspicious. When in doubt, don’t respond, don’t click any links, and don’t send any personal information. If someone is trying to contact you with important information, they’ll find another way to do so.
IBM also provided a list of common smishing scams to be on the lookout for. These include pretending to:
- Be a financial institution
- Be the government
- Be customer support
- Be a shipper
- Be a boss or colleague
- Text the wrong number
- Be locked out of an account
- Offer free apps
With any of the above examples, there are other ways these actual senders would contact you if it was truly necessary. Your bank would probably email you before they text, your boss would probably Slack you, etc. These smishing attacks have been so prevalent that our CEO, Andrew Boni, once said to the entire company “I’ll never text you about gift cards.” That cleared that up.
Feel free to ignore, report, and block any numbers you’re not familiar with. Like we said, any legit marketing text message will give users the option to opt out. So, if you get a message from a brand and aren’t given that option or don’t remember opting in in the first place, use caution.
SMS Isn’t All Bad
In the words of Olivia Rodrigo, it’s brutal out here. These bad actors aim to take advantage of vulnerability. They often use fear and urgency to scare the recipient into acting immediately. Remember, if something is truly an emergency, you’ll know about it outside of text messages.
All that being said, you shouldn’t fear signing up for marketing text messages. SMS marketing is highly regulated with rules in place to make SMS marketing extremely beneficial for the customers. Don’t let smishing scare you out of connecting with the brands you love.
If you’re a marketer looking to expand your brand’s mobile marketing program to include SMS, schedule an Iterable demo today to see what’s possible.