Familiar with phishing? Even if you don’t know the specifics, most of us have experienced it at one point or another – the unexpected email that appears harmless at first but doesn’t seem quite right upon closer inspection. These emails are sent out by cybercriminals and usually contain a link to malware or a malicious attachment which, if downloaded, cause data breaches or steal sensitive information like passwords and card details. You can learn more about email phishing attacks in our blog here or download our handy phishing cheat sheet.
It’s important to acknowledge that phishing via email is just one type of social engineering attack. As we become increasingly reliant on our smartphones not just for communication, but for all kinds of browsing and online transactions, cybercriminals are also targeting our phones. On average, only 27.5% of people are familiar with the threat of SMS phishing, yet we open 98% of all text messages we receive (compared to 20% of emails). Cybercriminals are making it their business to take advantage of these statistics, attempting to catch us off guard with a seemingly innocent text message.
And that’s exactly what smishing is – an SMS text sent by an attacker with malicious intent.
SMS phishing is a growing threat, not only because we’re less suspicious of cyber-attacks via phone, but also because smartphones tend to be less protected than our PCs or laptops. Yet a malicious link sent by SMS can work just as affectively as one sent by email. Once you’ve been tricked into clicking a link, the malware can install itself on your phone and help itself to any information stored on your apps – from login credentials to your credit card details. On business/work phones, any sensitive information or business data stored on the device can also be targeted, potentially leading to a breach of GDPR.
Cybercriminals are clever and always finding new ways to disguise their attacks. A phishing SMS will often masquerade itself as coming from a reputable source, perhaps replicating your phone network provider or even your bank. Watch out for:
There’s any number of approaches they could take to try to encourage you to follow a link or reply with personal details. Just remember that once you reply, or visit their site, they’ve got your credentials and can easily access your accounts.
Just because we’re in the middle of a pandemic doesn’t mean cybercriminals are taking a day off. According to the National Fraud & Cyber Crime Reporting Centre, more than 160,000 suspected phishing emails were reported to their Suspicious Email Reporting Service in the first two weeks after the service was set up. The majority of these attempted to exploit the current COVID-19 situation, offering people fake links to order personal protective equipment or testing kits.
In fact, according to a recent survey carried out by Citizen’s Advice, over a third of British adults have already reported being a target of a Covid-19 related scam. The National Cyber Security Centre has released a useful information sheet about four common SMS phishing scams that are already known and what to look out for.
The launch of the government’s NHS Test and Trace service brings more reasons to be vigilant about incoming text messages. The service contacts people via SMS, as well as by email and over the phone, to alert you that you have been in contact with someone who has tested positive for Covid-19. Despite reassurances that genuine messages will only ever direct you to the official government site, the fact that the SMS will ask you to open a link is already problematic.
A tactic commonly used by SMS phishing scams; many people will justifiably be reluctant to trust any link sent by text message. And, once you follow the link, the information you are asked to provide – name, date of birth, post code – are all useful titbits for anyone who wants to try to hack your accounts. A cybercriminal can take advantage of this by creating a reputable looking replication of the SMS, so it’s more important than ever to take care and know what to look out for.
Just like phishing, the best way to avoid becoming a victim of a smishing scam is to educate yourself, your friends, family and colleagues about what to look out for.
Follow these basic rules:
Take Five has lots of good advice about what to look out for.
If you think you’ve been a victim of smishing you should cancel your debit or credit cards and notify the bank as soon as possible. They should be able to offer further support. You may also want to update your passwords for anything you think may have been exposed, then report the incident to Action Fraud so that they can keep a log of the most common attacks.
Worried about phishing? Find out how we can help keep your business secure.