What the Smish!? The rise of SMS phishing attacks

SMS or Short Message Service is the text messaging service you used to use on your mobile phone before Whatsapp. All mobile/cellular phones support SMS and it’s a common way for people to get in touch with you and, more commonly these days, is a way for a service provider to reach you (think your bank or broadband provider).

What is Smishing?

Smishing is a form of phishing where attackers will use the SMS service to carry out an attack by making you think that they are someone they are not.

With the fact that SMS messaging authentication is only taken on phone number, there is a big opportunity for attackers to jump on. As well as that, you can message anyone you like — you just need to know their number.

Since the pandemic started, it seems like there has been a rise in the number of smishing attacks coming through to our phones as the attack opportunity increases, with some popular attacks being:

  1. Covid vaccination appointments
  2. Banking notices
  3. Postal delivery updates
  4. Tax information 

Why do Smishing texts dupe so many people?

SMS is short format, and you have no real way of knowing that the person on the other end of the text is not who they say they are - unless you already know them and their number.

Link scrutiny is also harder as you can’t hover over the URL as you could in an email. This, coupled with the shortened URLs which are commonly seen on text messages, make spotting a smishing text even trickier.

Recently in the UK, eight suspects were arrested for allegedly being involved in sending fake messages, primarily posing as Royal Mail and asking people to pay a fee to retrieve a parcel.

This is a common attack as the relatively small amount of cast might seem like an acceptable trade, and given that a good percentage of people expect to receive a parcel, there is a high chance of success for the attacker.

So what can you do about it?

If you are concerned that you have received a smishing message then the NCSC has guidance on their website and a number - 7726 - that you can forward onto.

The service is free of charge and helps the chances that the origin and location of the smish can be found and the attacker(s) apprehended.

How can you protect your business from Smishing attacks?

Cyber criminals don't just target people through personal mobile numbers with B2C scams, they also target employees by pretending to be a range of individuals or entities - be it a colleague, customer, partner, vendor and so on.

Boost staff resilience to Smishing and Phishing with usecure

The usecure platform comes pre-loaded with quick, video and interactive Smishing and Phishing courses, that empower users to spot the signs of cyber scams and know exactly how to report them.

You can also launch a free phishing simulation to assess which employees are vulnerable to an inevitable scam, with realistic templates readily made for you.

Grab a free trial of usecure and start understanding your organisation's human cyber risk.