“Knowledge is power.” - Sir Francis Bacon

Smishing, the new Phishing?

Smishing is becoming an increasingly popular tactic for scammers to try and extort individuals and businesses. Whereas phishing, which is also extremely favoured by scammers, uses email as it's channel of delivery, smishing uses plain old SMS text messages to your mobile phone.

These messages will contain a compelling message and reason of why you should click the link within the message and complete some action. This will always be to steal your details, and eventually, your finances.

Here are three real life examples of smishing attempts we have recently seen, and how we can tell they are malicious:

1. Download some free software

This is one of the weaker smishing attempts we have seen. Asking you to download a known search app. You only need to look at the link it is asking you to click to realise this has nothing to do with Bing or Microsoft (the makers of Bing).

2. Delivery Issue

This one is actually an iMessage, but we will class it as Smishing as it is a text message based phish attempt. You can actually see the sender address for the iMessage is nothing to do with Royal Mail. You can also see the link within the message.

Delivery issues are one of the most common types of smish. Here are a couple of others we received:

The link in this one is even worse than the first example. Clearly a smish!

This final example actually tries a couple of routes to get you on the hook. They are asking you to reply with a Y, which will inform them you are following their instruction, and they will likely send you further tasks to complete. The link is also from one of the URL shortener services, used to disguise the real destination, which will be some kind of malicious webpage.

3. Banking Alert

This Smish was sent to someone without a Santander account, so that was clue number 1 that this wasn't genuine, then you have the link it is trying to take you to, nothing to do with the bank itself (and also poorly formed). Finally, the number this is sent from appears to be a regular mobile number, not something you would expect from a bank.

Summary: What to watch out for

All Smishing messages will be asking you to either reply, or click a link, or both. Always look at the link address and see if it genuinely matches the service in question. Also check the sending number (or email address if iMessage).

Ask yourself if you were expecting this message, or if it is out of the blue. Most smishing messages come unexpectedly. Finally, check the language and grammar. Often in smishing messages this is poor and you will see clear mistakes which you would not expect if the sender was genuine.

If you are not sure if the message is genuine or not, ignore it, and contact the supposed sender via another method. For this you can visit their main website and look up some contact details to reach out.