The term smishing is coined from a combination of SMS (Short Messaging Service) aka text messaging, and phishing. Smishing is the fraudulent practice of sending text messages purporting to be from reputable businesses and organisations in order to trick individuals to reveal sensitive information.

According to Proofpoint’s 2023 State of the Phish report, 76 percent of organisations experienced smishing attacks in 2022. The increase in this kind of attack is attributed to cybercriminals knowing that victims are more likely to click on messages rather than links in emails. There is also the matter that advancements in spam filters have made it harder for email-based attacks to reach their targets.

Companies are not the only ones being targeted. Scammers also target individuals by sending a scam text designed to trick them into giving up sensitive information including bank accounts, and other personally identifiable information.

What is the difference between smishing and phishing?

Smishing is a type of phishing attack as both rely on social engineering to obtain personal information from targeted persons – only instead of using email, cyber criminals send their message via text or short messaging service (SMS). Smishing attempts are typically sent to mobile phone users as standard texts, but they can also be sent via popular messaging apps.

With smishing, scammers typically send thousands of texts to cast the net wide net for potential victims. These text messages include links that lead to a legitimate-looking website that requests the individual to type personal information. With the rise of AI, it has become easy for scammers to create custom-made malicious sites or landing pages designed to mimic reputable ones, with grammatically correct text.

Alternatively, they may choose to deploy a different format, where the URL link tricks the individual into downloading malware that installs itself on the targeted user’s phone. This malware might masquerade as a legitimate app, tricking the user into sharing confidential information such as account details for a legitimate app.

What do smishing messages look like?

As with phishing messages, smishing messages share a common sense of urgency. They often include messages like:

• There is a problem with your payment or account information
• You are being given a coupon
• You are eligible for a government refund
• Your child is hurt, and you urgently need to send some personal information for their treatment.

How to prevent smishing attacks

While these 7 security controls to prevent email security risks may work perfectly for phishing attacks, they do not completely address the peculiarity of smishing. Here are some practical tips to prevent smishing attacks:

• Approach urgent requests and limited-time offers with caution. If an offer seems too good to be true, then it most likely is
• Avoid responding to text messages from suspicious or unknown numbers – even responding to ask them to stop may alert scammers to the fact your number is live and make you a target for additional messages
• Never click on hyperlinks in texts from suspicious numbers, especially when the link is a short, abbreviated URL. A shortened URL, when used in SMS messages, is often an indicator of a fake
• Always proceed carefully when there is a request for financial or personal information, especially if they purport to come from legitimate institutions. Legitimate institutions will never request for account updates, financial information, or login information via text messages. If doubtful, call the organisation through trusted channels
• Ensure your phone’s operating system is always up to date to protect against malware that is hidden in smishing links.
• Don’t install apps on your phone from anywhere other than the official Apple App Store or the Google Play Store.

Protecting your business from smishing attacks

The best way to protect businesses from smishing scams is to counter these attacks with knowledge. Employee education may be the difference between your business being scammed and not. While implementing strong cybersecurity procedures may work, training your employees to adopt a culture of skepticism especially when it comes to unfamiliar and urgent requests is equally important.

Organisations should also consider investing in cyber insurance to mitigate the risk of financial losses, in the event of a smishing attack. By taking a proactive approach to cybersecurity, businesses can reduce the risk of cybersecurity threats and reap the rewards of a more secure environment.

Tivarri’s cybersecurity awareness training course

Training your employees to recognise phishing emails and report any suspicious activity can drastically reduce the likelihood of a data breach occurring in your business. Studies have shown that frequent cybersecurity trainings reduce employees’ susceptibility to phishing attacks.

Tivarri’s cybersecurity course is designed to empower employees to recognise both smishing and phishing scams and make intelligent cybersecurity decisions. Our cybersecurity training course is a beginner’s guide to protecting business owners and employees from the risks that cyber criminals pose. Participants will understand how cybercriminals access systems, how to manage digital footprints, and how to keep personal information safe from online fraud. Tivarri offers both in-person and online training to businesses. Contact us for more information.