What is Smishing?

This is the eighth entry in a series of cybersecurity themed articles; stay tuned for more if you’re enjoying this content!

Have you ever received a cryptic text message on your cell phone, asking you to reply with some piece of personal information? This is the essence of a new type of phishing attack, called “smishing”, a portmanteau of “SMS” (short message services, better known as texting) and “phishing.”

In the typical phishing attack, the attacker will send out spoofed emails to the victim asking for some personal data. Though this attack vector still has its own merits, email spoofing is difficult to get right and spam filters are getting more advanced by the day thanks to machine learning on the scale of Google. Assuming an attacker knew the victim’s cell phone number, they could completely bypass all that spam prevention technology and more easily spoof their identity when sending phishing messages.

What makes smishing a difficult problem to combat is the difficulty with which the veracity of such an information request can be verified using only a mobile device. “Official” SMS short codes can be easily spoofed, and faking the authenticity of a simply, text only, communication is not tremendously difficult. In fact, thus far, the best strategy for dealing with smishing attacks involves banks and large corporations explicitly stating that their employees will never ask customers for specific pieces of data, like their passwords.

In closing, the next time your “bank” sends you a request to confirm your account number or your “internet service provider” texts you to ask for confirmation for a service change you know nothing about, take a moment to consider if the request is actually authentic. I’m also a huge fan of providing false information to the folks who perform these types of attacks. According to many large leak databases my phone number is 123-456-7890, my email is [email protected], and my birthday is 1/1/59.

Stay safe out there!

Leave a Reply