Phishing attacks are becoming more targeted – and sophisticated! More and more criminals are targeting mobile users by sending malicious content via SMS. What this is all about and how you can best protect yourself against it – just read on.

Have you ever received one of these SMS messages saying that a package you allegedly ordered could not be delivered and that you should download the service provider’s app via the link contained in the message in order to receive it after all? You hadn’t ordered anything… If you didn’t follow the instructions in this message, you’ve done everything right! This is because this is so-called smishing, i.e. phishing via SMS. And this scenario is only one of many.

Phishing rethought and made mobile

Despite the numerous messenger services that have sprung up like mushrooms in recent years, SMS is still a frequently used type of conversation on the smartphone. Especially in times of home office and remote work, in which private devices are used in everyday work, a large part of communication takes place via mobile phones and is perceived as largely secure. It is precisely this assumption that criminals take advantage of. The goal of the fraudsters is to use misleading SMS to access sensitive data and valuable information.

Currently, smishing attacks can be divided into three different categories:

Distribution of malware

The scenario described above is one of many and is based on classic email phishing. The link in the SMS leads to a website where an app is available for download. This looks confusingly similar to those of the parcel service providers or other service providers – see Factbox – but is a fake and contains a banking Trojan. It is activated when the supposed app is downloaded and can access or use all personal data, such as telephone numbers, e-mail addresses and bank details after installation. In addition, access can subsequently send further, malicious SMS to the contacts on the mobile phone – a chain reaction with fatal consequences.

The most widespread banking Trojans of this type are currently FluBot and TeaBot. Android devices in particular are affected by this attack scenario, as the operating system allows apps to be installed from unknown sources.

Bank Smishing

Of particular interest to cybercriminals are access data for online banking. The spread of fear is a particularly popular method for hackers to gain access to their victims’ money deposits: They send SMS from the victim’s supposed bank with the information that the bank account has been hacked and provide a phone number or link to prevent further alleged damage. The phone number often leads directly to the criminals, the link in the message to a fake website. In both cases, the victims are to be persuaded to disclose their access data – only to find a plundered bank account afterwards. Often, the sender’s number can be hidden, so that many victims cannot tell from which source the text message originates.

The grandchild trick as SMS

This type of smishing mainly affects less tech-savvy people. In this case, con artists pretend to be acquaintances of the victim – the names are often learned via social media – and promise a financial advantage if you make a deposit in advance to a certain bank account.

How you can best protect yourself and others from smishing

1. Do not click on any of the links and block the sender’s phone number. If you are actually expecting a shipment and are not sure whether the SMS from your parcel delivery person will work, contact them directly. The same applies to your bank account: log in directly via the browser to get more information.
2. Only use apps from reputable sources, i.e. the official app stores or from the provider’s website, to download apps.
3. On Android, there is the option to turn off the menu item “Install apps from unknown sources” in the settings. This is how you protect yourself – and others.
4. Report the smishing incident to the consumer advice centre. This will protect you not only yourself, but also others.
   If such an incident occurs on your work phone, inform the members of your organization.
5. Raise your awareness of these types of attacks: ask yourself whether your bank or parcel service would send you such messages. Would they even have your cell phone number to do this? No bank calls your customers and asks for personal details over the phone. If you receive a call of this kind, end the call immediately.
6. Pay attention to cryptic links and spelling in the body text. In the end, the following always applies: Better safe than sorry….

Already clicked – how to do damage control

1. If you suspect that you have been the victim of a smishing attack, put your mobile phone in airplane mode. This prevents the malicious software from being sent to your contacts.
2. Inform your mobile phone provider about the incident – and your bank if you have already disclosed your bank details.
3. Reset your smartphone to factory settings to erase installed and saved data.

Do you have any further questions about phishing or would you like to learn how you too can make your company cyber-secure? Our experts from Perseus Technologies will take care of your concerns and will be happy to advise you more intensively.