“SMiShing” is a form of phishing that uses text messages, also known as SMS, to deceive people into disclosing their personal or financial information. SMiShing messages often impersonate legitimate sources, such as banks, government agencies or online services, and they usually contain a link or a phone number that directs to a fraudulent website or a malicious operator.
Recently, a new SMiShing scam has been used by threat actors to trick users into bypassing the DUO multi-factor authentication.
Phishing is a cyberattack that aims to trick people into revealing their personal or financial information, such as passwords, account numbers or credit card details. Phishing attackers often pretend to be someone or something that the target trusts, such as a bank, a government agency or an online service, and they use various techniques to persuade the target to click on a link, open an attachment or call a number.
SMiShing is a serious threat because it can circumvent some of the security measures that email phishing cannot, such as spam filters and antivirus software. SMiShing messages also can manipulate the sense of urgency and familiarity that people associate with text messages, making them more prone to respond without verifying the sender or the content.
Here are some indicators to help identify SMiShing messages and avoid falling for them.
- The message requests that the text message receiver provides or confirms personal or financial information, such as an account number, password, PIN or social security number.
- The message states the receiver has won a prize, lottery or a gift card and requests to pay a fee or provide details to claim it.
- The message warns that an account has been compromised, suspended or locked and requests to click on a link or call a number to restore it.
- The message urges the text message receiver to act immediately or threatens negative consequences for not responding.
- The message contains spelling, grammar or formatting errors, or uses an unusual or unfamiliar tone or language.
- The message originates from an unknown or suspicious sender or from a spoofed number that mimics a legitimate one.
Protecting from SMiShing
If someone receives a SMiShing message, do not reply, click on any links or call any numbers that it contains. Instead, follow these steps:
- Delete the message from your phone and report it to your mobile carrier or the Federal Trade Commission.
- Verify the authenticity of the supposed bank, government agency or online service by contacting that organization directly using a reliable source, such as their official website, phone number or email address.
- Change passwords and security questions for any accounts that may have been affected by the SMiShing attempt.
- Monitor bank statements, credit reports and online accounts for any suspicious or unauthorized activity.
- Educate about the risks and signs of SMiShing and other phishing scams.