Smishing attempts, a type of social engineering attack involving the use of SMS messages, continue to rise as hackers become bolder in their methodology. Proofpoint’s 2021 State of the Phish report notes that smishing attacks in the first half of 2021 rose by 700%, a staggering increase over the last six months of 2020. A big part of cyber safety is having the ability to recognize an attack when it appears. Education is key to combating the ever-growing smishing threat.
As concerns about smishing grew, it became clear that more education was necessary to help combat the threat. That’s why we periodically provide examples of phishing on our blog. Our team shares "pattern recognition" tips to help you recognize unsafe messages. Today, we’ve got yet another example of smishing typically sent by hackers.
We dissect it in detail to help make things clearer, providing you with seven warning signs that the message is probably unsafe. By the way, if you need a brief primer on smishing first, head over here). None of these seven warning signs are so strong that they would (individually) predict with 100% accuracy that the message is unsafe.
However, when considered as a group, it becomes obvious that this particular message is a smishing attempt. The better you get at figuring out if an SMS is legitimate or an attempt at hacking, the higher your chances of preventing attempts at stealing your valuable information.
Let’s start by going over some common red flags that crop up in smishing attempts. Here's the initial message:
Now, let's get busy taking the message apart and identifying the suspicious points.
It doesn't look like you have the sender in your contact list, as evidenced by the phone number showing (instead of some company or person name). While that's not conclusive evidence that this message is unsafe, that lack of information should put you on alert for additional warning signs that suggest danger ahead. As a rule of thumb, if you don’t recognize the sender, don’t respond or click on any links in the message.
Building upon your prior intuition, notice that there are no prior text messages from this number before, in either direction. In addition, you don’t have a record of prior messages from the sender or correspondence sent by you to the sender.
Again, this isn't conclusive evidence of danger, but it's enough to make you a little more suspicious. For that reason, it’s a good idea to focus on the rest of the message to gauge safety. Right now, this message looks a lot like other smishing examples we’ve examined previously.
That's weird. This message is formatted a little bit like an email.
FRM (from?)... SUBJ (subject?)... MSG (message?).
If this is really from a credible financial institution, they’re not exactly going out of the way to make the message more user-friendly. So either this is the most robotic unfriendly message from a bank ever, or it's a smishing.
With so many companies now focused on improving the customer experience, such robotic and hard-to-read correspondence is really unusual. At this point, you may start thinking that this looks like other smishing examples you've seen but want to continue reading to gather more context.
Now this looks very suspicious. The message is about a product you don't know of, or use,. In addition, the message looks like it's financially oriented. Whoa, danger ahead! Keep in mind that attempts to gain financial credentials tend to be the top target of smishing attempts. You've seen smishing examples before -- and a high percentage of them involve financial-oriented fraud. There is no possible reason to consider interacting with this sender.
You've already concluded that the message shows all the warning signs of a typical smishing example. Even if you continue reading, you hopefully have no intention of responding to the message. As you keep reading, keep an eye out for any odd or unusual identifiers in the message. If you spot them, it’s likely your fears of a smishing attempt are correct.
It's almost like the cyber attacker needs the ability to uniquely identify who they are communicating with. The most likely reason is that they need a way to sift through the hundreds of thousands of people they've sent this attack to! Here’s a hint: that's exactly what's happening. We feel confident in declaring this a classic case of a bulk smishing attempt.
As if the prior five reasons weren’t enough, here's one that solidifies the conclusion that this is a smishing attempt. Most major companies go all out when it comes to reinforcing their branding. That’s why everything from a company’s website to the email headers all have the same logos and fonts.
For that reason, it’s hard to imagine a multi-billion-dollar bank messes up its own branding when contacting a consumer. The prospect of a customer-facing person at Citibank approving an outbound text message referring to their organization as CITI-BANK is extremely unlikely.
For brevity’s sake, we’ll hold off on going into detail about other obvious branding no-no's. Plus, we want to avoid upsetting large companies with more lawyers than we have.
This one seals it. Legitimate financial institutions tend to be pretty uniform in their messaging on how customers can reach out for additional help. You should never get a message that lists *possible* follow-up numbers. An example of this kind of 1-8You'd Never Fall for This Smishing Example is shown below:
After reading this post, we hope that you'd never fall for the kind of smishing example listed above or anything like it. However, not everyone on staff at your company has the same level of savvy to recognize phishing attacks.
Havoc Shield offers smishing protection for organizations looking to cut down on the potential for cyber breaches and other hacking attempts by bad actors. Learn more about how we can help by calling (888) 484-2862 to set up a consultation.
We hope that after reading this post, you'd never fall for this smishing example or anything like it. If you've got any other smishing examples that you'd like us to dissect on this blog, we're all ears.