We all know the threat of phishing attacks, but hackers use a similar SMS-based tactic called “smishing” to infect smartphones with malware and steal data, and according to recent reports, they’re using it more often. The cybersecurity firm Kaspersky says hackers are infecting users across Europe and Asia with the dangerous “Roaming Mantis” Android malware using smishing attacks, and cases around the world are on the rise.
You can read more about the Roaming Mantis smishing campaign in Threatpost’s recent report. Whether it’s Roaming Mantis or some other scam, however, the point is smishing is a real threat you need to take precautions against like you would to avoid phishing attempts.
What is smishing?
Smishing attacks use similar tactics to phishing schemes, but use SMS text messages instead of emails — hence “smishing” (SMS + phishing).
Most smishing attacks work like this: Hackers send the target a text that looks seemingly legitimate. The text will contain a link that opens a fake, but convincing, page that then instructs the user to download a malware-laced app installation. In the Roaming Mantis case, the malware hides behind innocuous code that anti-malware blocks may not catch.
Malware isn’t the only thing hackers hide in smishing texts. Depending on what company the hackers are pretending to be, the texts may also contain links to fake login pages that steal private account information; spam them with malicious ads; or simply ask them to reply with other important information like bank card details, social security numbers, or driver’s licence numbers.
Whatever the case, the end result is the hackers now have remote access to your device, your accounts, and/or your personal information. From there, they can steal your payment information, compromising photos, and any other information you have stored.
How to avoid smishing
Smishing is a serious threat, but the strategies used to spot and avoid the threat are similar to those used to prevent phishing attempts and other online scams.
The first step is to opt-in to SMS spam filters — but don’t expect them to do all the work for you. Service providers like T-Mobile, AT&T, and Verizon are getting better at stopping spam texts and smishing campaigns, but their server-side filters are reactive rather than proactive, meaning they’re always going to be a step behind the spammers. Similarly, you should also turn on spam filters for your Android device in whatever texting apps you use.
Filters won’t stop every malicious text, but they’re helpful nonetheless. The rest of the prevention falls to the users themselves: Most importantly, do not open suspicious links from random numbers.
Of course, that’s easier said than done.
Plenty of companies send important links in text messages, and often from random numbers. Sometimes legitimate texts will come from a different number each time, even if it’s from the same sender. This is often the case with SMS-based two-factor sign-ins or password reset requests, for example. That could make it difficult to tell when a text — and any links therein — are safe to open.
That said, unless you’re expecting a text from, say, Google, your bank, or even your local public transit service, don’t open any texts claiming to be from said companies or organisations. There are also some tell-tale signs that a text is fake, such as using specific words and phrases common to phishing attempts, and poor spelling and grammar.
Another sign is unorthodox requests. In general, banks, internet providers, and other big companies will not send you random links, ask you to install extra apps, or ask for personal details over a text message. If you’re ever unsure, call the company directly to confirm the text message is legit.