We define SMiShing as “the act of using mobile phone text messages (SMS) to lure victims into immediate action such as downloading mobile malware, visiting a malicious website or calling a fraudulent phone number.” SMiShing messages are usually crafted to elicit an immediate action from the target, requiring them to hand over personally identifying information and account details. They will often do so by using fear or greed-based terminology such as “impending account suspension,” “fraudulent account activity detected,” or by offering some type of award or discount. SMiShing attacks are rapidly growing in popularity.

According to a 2014 Annual Threat Report from Cloudmark, the incidence of SMiShing in the U.S. more than tripled in September 2014. The report further identified that one in four unsolicited SMS messages reported in 2014 attempted to steal the victim’s personal or financial information. The rise in this threat vector can be attributed to several factors. First, and most obvious, is the widespread use of smartphones. Second, there has been a dramatic increase in the reliance on mobile applications to pay bills and conduct business transactions. Lastly, the adaptation of online two-factor authentication has created a layer of trust for messages delivered to smartphones, making it difficult for the average user to decipher a real “enter this verification code before it expires” from an “act now” message.

NOTICE: Never use this information to perform illegal acts! We discuss these details to help organizations become aware of possible social engineering attacks. Additionally, this information will help organizations to mitigate these attacks.

Financial Institutions

Due to the fact that more and more users are conducting banking transactions through smartphones, many SMiShing messages claim to be from a financial institution. Many users won’t think twice before acting when they receive a message from their bank. Attackers will use legitimate sounding verbiage and even some branding to assist their pretext.

Figure 1 is an example of a typical SMiShing attack.

Figure 1

Image via Numbercop

Financial Institution Example

In early 2015, a widespread SMiShing attack was sent in bursts to hundreds of thousands of mobile users in the Houston area with varying bank affiliations, including Bank of America, Fifth Third Bank, and Susquehanna bank. The SMS messages informed recipients of a problem with their bank account and urged them to call a supplied number to follow the automated prompt in order to validate credit card account information. When a user dialed the number, they would reach an automated prompt requesting account details.

An interesting note about this widespread seemingly random attack: it was actually quite targeted. Security researchers later revealed that attackers used geo-targeting by area code to pursue SMiShing targets in the Houston area. The phone number victims were dialing actually belonged to a Holiday Inn Express in Houston but, at the time, calls were being routed to the automated prompt designed to obtain credentials. A sample of an automated prompt that has been associated with SMiShing attacks can be found here.

Other Examples

While SMiShing attackers certainly favor posing as financial institutions, SMiShing attacks are not limited to the banking sector. In 2015 alone, phone spam research group NUMBERCOP reported on a vast array of SMiShing messages sent on behalf of telecommunications and tech companies such as Verizon, AT&T, Apple, and T-Mobile, which both drove traffic to adult sites and included a vast number of account takeover attempts. SMiShing attacks targeted at carriers that involve account takeover attempts usually cast a smaller net by grouping SMS targets into 25 or fewer users. The preferred method for these types of attacks includes driving users to well-known phishing sites.

Equipment Needed for SMiShing

SMiShing is attractive to attackers since it is a low-cost attack. A VOIP server, a burner cell phone, and a spoofing method are all that is needed in order to send targeted text messages. With applications such as BurnerApp and SpoofCard, it is easy and also very inexpensive to purchase a spoofed number to text from.

Protecting Users Against SMiShing Attacks

The best way to educate users against SMiShing attacks is by conducting simulated attacks as part of your security awareness and training program. This provides the opportunity to train an individual on how to respond to and prevent future threats. Simulated attacks can lead to educational pages that allow the moment an employee behaves badly to be a teachable moment.