Smishing: How to protect yourself against this SMS phishing scam
Have you ever received an SMS message that reads, "Your parcel will be returned to sender today" or "Last chance to pick up your parcel"? Congratulations! You were targeted by cybercriminals who want nothing more than to lure you into a trap! Known as "smishing", such carefully engineered SMSes contain dangerous links. Thankfully, they are also fairly easy to recognize. I have summarized a list of important red flags to look out for.
It is now 2021: Everyone has a mobile phone, and just about everyone has indulged in online shopping at one point or another in time! Hence, it makes perfect sense for cybercriminals to jump aboard the bandwagon and exploit their fellow human's greed or naïveté to enrich themselves.
Phishing checklist
| Warning phishing signs at a glance |
|---|
| ✘ Incorrect grammar / spelling |
| ✘ Request to enter personal data |
| ✘ Irrelevant notification (No package ordered → yet you receive a package notification) |
| ✘ Clicking on hyperlinks |
"Smishing" happens to be an amalgamation of the words "SMS" and "phishing". It describes short messages that contain dangerous links and, which also usually encourage you to load the phishing pages by including a hyperlink. This spring, some of the messages may read like these:
- Your package will be returned to the sender today. Last chance for you to pick it up!
- Hello [name], the courier has picked up your package. Tracking number: [Link]
- [Number] You have an unresolved issue with your package: [Link]
Phishing text messages don't always have to refer to packages or deliveries. I have encountered a lot of phishing messages during my internship and pick up a few tips and tricks, which I would love to pass to you. Apart from smishing, phishing emails are an often underestimated danger.
How do I distinguish smishing and phishing from a legitimate SMS?
Pay attention to spelling and grammar
In most cases, phishing or smishing messages can be easily recognized by their grammar and spelling mistakes. Companies like Amazon, DHL, or your savings bank are not likely to make such amateurish mistakes in their messages. Some red flags include incorrect capitalization and punctuation.
Banks never ask for personal information
Furthermore, virtually all banks, including e-wallet vendors, consistently inform customers that they will never ask you to enter your personal information via email or SMS. They will also require you to log in to your online banking account directly and not provide a URL in the message. You can also receive such alerts in your email inbox.
Double- and triple-check the URL
Does an SMS from your bank which contains a hyperlink make it legitimate or trustworthy? It is always recommended keying in your bank's URL directly in a browser's address bar. Alternatively, copy the hyperlink on your smartphone and paste it into a document or message window to check whether the hyperlink does point to the promised page, or somewhere else.
Most of the time, such phishing links are cryptic or lead to wholly different pages. In such cases, you can be 100 percent sure that the email or SMS is trying to pull a fast one on you.
When it comes to e-mails: Refer to the sender
With smishing, it is not so easy to see whether the number actually belongs to your bank or a reputable service provider. However, it is an entirely different story when it comes to email phishing. Look for the detailed sender information in your email folder and inspect the email address, comparing it with previous legitimate emails from your bank or service provider.
Can smishing be stopped, and what do I do with the received messages?
Unlike viruses, Trojans, or malware, merely receiving a smishing message is not dangerous at all unless you click on the included hyperlink. Basically, just ignore the message or even mark it as Spam (if your dialer allows you to), and nothing else should happen. However, I strongly recommend deleting such messages, as you don't want them around in the first place.
Before you do that, you can, of course, snap a screenshot of the fake message and contact your bank or the support center of a particular service to alert them of this scam. Doing so will help you shed further light on the situation and perhaps assist the authorities in gathering evidence to act against such cybercriminals. You can also contact your mobile provider to inform them of such unscrupulous activities.
Are you still unsure on whether your bank account is secure? Type in your online banking URL in the browser or contact your bank directly for the correct URL. They should have additional advice or information that should help you.
Accidentally clicked on a link and/or entered your personal data?
Did you discover the dangers of smishing a bit too late, having already clicked on a hyperlink, or even entered your personal data? In the case of bank phishing, contact your bank immediately and inform them about it. As a precaution on your side, you should block your ATM card or credit card, or perhaps even cancel those, while requesting a new one that requires a whole new PIN.
If you have entered your e-mail address or your address, this is far less dangerous - although it is going to be a lot more annoying. This is because selling "real" e-mail addresses or addresses to advertising companies is a lucrative activity. You will probably receive more phishing emails and spam after entering your data accidentally.
If the affected service offers two-factor authentication as an added security measure, activate it. This protects your account even if an attacker could locate your password. Basically, it is advisable to activate "2FA" for every service that has it.
It is highly advisable to file a criminal complaint with the local authorities if you have fallen for a smishing scam. You can also reset your smartphone to its factory settings (after making a backup of your important data like photos and audio files!) to be on the safe side. If malware has been installed on your smartphone unknowingly because you clicked on a link, such malware will also be removed.
Share your smishing and phishing messages with the community
If you remember all the tips in this article, you should be able to spot most smishing and phishing attacks and avoid falling for their lure. If you are unsure or have seen a particularly suspicious scam, please post it up in our forum! I have created a new thread for this purpose:
If you have any further questions or experiences regarding this topic, do feel free to post them in the comments. If you have additional tips and tricks to alert our fellow readers, I will, of course, include them gladly! Last but not least: Stay skeptical and above all, stay safe!
Source: BSI
nice! thx