Smishing

Smishing is a type of phishing that takes the form of text messages – SMS – sent to cell phones. The messages are intended to entice potential victims to click on a link and thereby send sensitive information to the attackers, download malicious software or fall for a classic scam.

What does smishing mean in detail?

Text messaging is still a frequently used form of conversation on smartphones and is perceived to be largely secure. It is precisely this assumption that criminals exploit to gain access to sensitive information or install malware and enrich themselves at the victim’s expense. The following variants are frequently observed:

• Spreading malware: This variant is similar to the classic phishing email. Victims receive a text message with a link and are encouraged to click on it. A popular scam used by the perpetrators is to pretend to be a well-known service provider – such as DPD, Amazon, etc. – in the text message and inform them of the whereabouts of a shipment. The link in the text message leads to a website where an app is available for download. This looks confusingly similar to those of the service providers, but is a fake and contains a banking Trojan. It is activated when the supposed app is downloaded and, once installed, can access or use all personal data such as telephone numbers, e-mail addresses and bank details. In addition, this access can result in further malicious text messages being sent to the contacts on the cell phone – a chain reaction with fatal consequences.
  Android devices in particular are affected by this attack scenario, as the operating system allows apps to be installed from unknown sources.

• Bank smishing: Cyber criminals are particularly interested in access data for online banking in order to steal money. For example, the attackers send a text message from the victim’s supposed bank. This message contains the information that the bank account has been hacked and provides a telephone number or a link to prevent further alleged losses. The telephone number often leads directly to the criminals, the link in the message to a fake website. In both cases, the victims are tricked into disclosing their access data – only to find their bank account plundered. The sender’s number can often be concealed so that many victims cannot recognize the source of the text message.

Where do I encounter smishing in my day-to-day work?

You may encounter smishing if you use a cell phone for business purposes – be it your private or company phone.

What can I do to improve my safety?

• Watch out for cryptic links, spelling or special characters in text messages. If these appear suspiciously often in a message, do not click on any of the links and block the sender’s phone number. If you receive a text message on behalf of a parcel delivery company or your bank, log in to the official website of the provider to check messages sent to you.
• Only use apps from reputable sources, i.e. the official app stores or the provider’s website, to download apps. On Android, you can deactivate the menu item “Install apps from unknown sources” in the settings.
• Inform the members of your organization so that they are warned accordingly and watch out for suspicious text messages.
• Report the smishing incident to the consumer advice center. This will not only protect you, but also others.
• Raise your awareness of these types of attacks: ask yourself whether your bank or parcel service would send you such messages. Would they even have your cell phone number to do this? No bank calls your customers and asks for personal details over the phone. If you receive a call of this kind, end the call immediately.