Smishing: A new type of Phishing Scam

Smishing is another “phishing” scam; the only difference is in Phishing, users receive a genuine-looking email that appears to be either from their bank, Internet Service Provider (ISP), favorite store, or other organization. Where as in “Smishing” messages are sent to you via SMS (text message) on your mobile phone.

Due to increased usage of smart phones, where every individual use smart phones and various apps in it to do daily stuff such ordering food, movie tickets, online shopping etc. usually all apps are directly connected to your bank provider, and in few clicks you are able to order anything. So, targeting people through their smartphones is the easiest way to access confidential information. Bad guys send texts that trick users into doing something against their own best interests.

Fraud guys are getting more advanced. In Smishing mobile phone users receive text messages containing a Web site hyperlink, which, if clicked would download a Trojan horse, virus, malware or other malicious code onto their smart device and/or trick the target into revealing their password, ID or similar private data.

Some of the Smishing examples include:

  • Dear customer, Bank of America needs you to verify your PIN number immediately to confirm you’re the proper account holder. Some accounts have been breached. We urgently ask you to protect yourself by confirming your info here.
  • A Beautiful weekend is coming up. Wanna go out? Sophie gave me your number. Check out my profile here: [URL]
  • Your entry last month has WON. Congratulations! Go to [URL] and enter your winning code – 1122 – to claim your $1,000 Best Buy gift card!

“Think Before You Tap” always remember when you get such messages, because, these Smishing messages are used for identity theft, bank account take-overs and to pressure you into giving out personal or confidential company information.

Steps to prevent text messages spam:

  1. Delete text messages that ask you to confirm or provide personal information: Legitimate companies don’t ask for information like your account numbers or passwords by email or text.
  2. Don’t reply, and don’t click on links provided in the message: Links can install malicious code on your device and take you to spoof sites that look real.
  3. Treat your information like cash: Your Social Security number, credit card numbers, and bank and utility account numbers can be used to steal your money or open new accounts in your name. Don’t give them out in response to a text.
  4. Attacks using verification codes to bypass 2 Factor Authentication.  Be suspicious of SMS messages asking about verification codes, particularly if you did not request one. Legitimate messages from password recovery services will simply tell you the verification code and will not ask you to respond in any way.
  5. Don’t fall for texts from your network which ask for details.  Your phone network will often text you – if you’re abroad, for instance, to warn of data roaming rates. But networks won’t ever ask you to confirm or verify your details. If you see a “security” text which asks for a password or any other details, don’t click the link, and don’t call any numbers in it. Contact your network via their website, or via their phone number (the real one, not the one in the SMS).
  6. If you see a “business” phone number in a text, it’s no guarantee it’s real. Many SMS phishing attacks will include “toll-free” numbers that look like legitimate business ones – they’re not.
  7. Don’t reply with “STOP” if you’re being spammed – contact your network instead.If you’re repeatedly spammed, and the SMS contains an instruction to text back with “STOP” to cut off the emails, don’t. This will simply tell the spammers that you’re there, and they’ll intensify their attacks. Your network will be able to block SMS from specific numbers.
  8. Be very suspicious of “special offers” – especially ones where you must “act fast.”Phishers commonly send out SMS attacks in the form of “special offers” from big companies – such as a $1,000 gift card, where only a limited number are available, and you must click a link to cash in.
  9. High-value “special offers” that sound too good to be true usuallyIf it’s your local pizza place offering two-for-one on Tuesdays, you might be safer. Think first, and think hard if you’re being asked to click a link.
  10. Set your phone to block apps from unknown sources. Many SMS phishing attacks aim to fool you into installing malicious apps – particularly on Android. As a precaution, block installation from unknown sources (it’s in Android’s Settings menu). If you must unblock this (for instance to install a working app), set it back to “blocked” when you’ve finished. If you do make a mistake, this gives you another line of defense. It’s also worth using Google’s built-in “Verify Apps” function, which monitors apps for suspicious activity.
  11. Don’t fall for texts from your bank which ask for “confirmation details.”Your bank may well text you – for instance to confirm a transaction on PC – but bank texts will not, ever, ask you to confirm details, or for passwords. Banks also won’t update their apps in this way. If you’re suspicious, don’t click links, don’t call any numbers in the text. Instead, call your bank on its “normal” number – Google it if you don’t know – and check whether the text is from them.
  12. Don’t fall for warnings saying, “Your phone is infected.” Recent SMS phishing scams use a bogus “security alert” to scare users into installing fake antivirus apps. Reputable security companies will not “push” products in this way. ESET’s Cameron Camp says, “Malware posing as security apps, also known as “scareware”, are some of the most pervasive scams on Android in recent months.”
  13. Don’t trust caller ID.  Just because your caller ID displays a phone number or name of a legitimate company you might recognize, it doesn’t guarantee the call is coming from that number or company.

 

Reference: https://efraudprevention.net/home/templates/?a=3

http://it.fitnyc.edu/2017/07/10/phishing-moves-smishing/