Monday, April 10, 2017

What is Smishing ?

We often get spam SMS’s. They are not only annoying, sometimes they can be dangerous too. Attackers often harvest phone numbers of potential victims and send them malicious SMS typically containing a link or a number to call back to. When a user clicks on the link or calls the number provided, he falls prey of the scam. This type of scams are called smishing.


A typical example of smishing will be an SMS like this :

We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order clicking on the link http://somescam.com



If a victim clicks on the link, he may get redirected to a malicious website spreading malware or even he may end up being in a fraudulent website looking identical to some legitimate website and end up compromising sensitive credentials or other personal details.




Smishing is a type of phishing scam in which attackers use SMS or Short Message Service to deceive users. Attackers often use smishing to steal sensitive information from users or to spread malware.

The term “smishing” is derived from two words “SMS” and “phishing”. An SMS is typically used in this type of scams and hence the name.


Some real life examples of Smishing


Amazon Phishing Scam


This smishing scam appeared in January, 2017. In this scam, a victim typically gets an SMS as mentioned below:

Order Confirmation (#101-2341765-1192723)

Order total: 70$

If you did not authorize this purchase, click http://bit.ly/amazon-refund to Cancel and Refund.

As usual the link points to some fraudulent website that looks quite identical to Amazon website and asks for sensitive credentials from the victim. The fake website even asks for entering credit card numbers to the victims. No doubt on providing such sensitive details the victims’s Amazon account as well as financial details get compromised.


However, if you look carefully, you can notice some pointers that indicate the SMS is not legitimate.

  • It should have been written as $70 and not 70$. A legitimate communication should not have this mistake.
  • It is unlikely that Amazon will send a link using such URL shortening service.

However, if a user gets any such unexpected text, the best way to deal with it would be not to visit the provided link, but to login in legitimate Amazon website and verify the active orders. The user can also call the Amazon customer care and clarify.

Apple Phishing Scam


This smishing scam appeared in 2016. A victim typically gets an SMS as mentioned below:

Your Apple ID has been locked for invalid details and is pending termination. Confirm your details at http://somesmishinglink Apple.


In this case also, if a victim clicks on the link, he gets redirected to a fraudulent website which looks identical to legitimate Apple’s website and it asks for sensitive credentials from the victim.

However, if any user gets any such SMS, the best response would be not to visit the link, but to login in the legitimate website of Apple and check whether there is any such notification or to call Apple customer care directly to verify.



Netflix Phishing Scam


This smishing scam also appeared in 2016. The scam mainly targeted Australian Netflix users.

Update your Netflix Account so you can continue enjoying your Netflix service. http://somesmishinglink

This link also points to a fraudulent website looking identical to legitimate Netflix website and asks for sensitive credentials. A user receiving any such SMS, however, should verify the information going to legitimate Netflix website instead of clicking on the link or call customer care of Netflix and report it.


How to prevent Smishing ?


We can always take a couple of steps from our side to protect ourselves in a better way.

  • Never ever share your financial information via SMS, call or email. A bank will never ask for that to any of its customers.
  • Do not follow instructions on an SMS sent by an unknown sender. Delete such SMS instantly.
  • Please be alert to the fact that an SMS claiming to be from your bank may not be genuine.
  • Do not click on any link of an SMS sent by an unknown sender.
  • If you get an unexpected SMS asking for providing any sensitive information quickly, be careful. Attackers often use social engineering to create a sense of urgency to the victims and ask for a quick response, so that victims do not get much time to think and reveals all the requested sensitive information instead.
  • It is always good to block unwanted numbers from sending texts or calls.
  • If an SMS sent by some unknown sender asks for calling a number, do not do that.
  • If anything looks suspicious, do your research before responding. Sometimes a simple google search reveals a lot.
  • Use your common sense and caution and make sure you do not fall victim of identity theft.
  • Beware of messages that come from numbers that do not look like phone numbers, for example 5000 numbers. These messages are actually sent by email-to-text services. Attackers often use these services to mask their identity.
  • Never reply to any suspicious messages hurriedly. If your bank is to cancel your credit card, you should be able to call your bank customer care and discuss the matter with them.




Read More

Infographic : How to prevent Phishing ?

Infographic : How to prevent malware ?

What is Vishing ?

What is Pharming ?

What is Social Engineering and how to safeguard oneself ?

What is 2 Factor Authentication and why should we always enable it if possible ?

How to safeguard oneself from Evil Twin ?



No comments:

Post a Comment