How to protect your phone against text ‘smishing’

In today’s world of treacherous cybercrime and ID fraud, you can’t be too careful with your digital devices. Cybersecurity is a huge topic and, sadly, we’ve probably all been exposed to ‘phishing’ attempts at some point. Perhaps you’ve even been caught out? All it takes is a plausible looking email from what you think is a trusted source and then suddenly you’re compromised.

Phishing or smishing?

Smishing is another form of cyberattack that uses text messages on your phone to deceive its victims. The objective is to trick you into thinking that the message was sent by a trusted source, then get you to take an action to divulge exploitable information such as account log-in details or access to your mobile device.

Smishing (or SMiShing) has been around for about 10 years now, and high smartphone penetration rates have made these devices an increasingly popular target for attack. As one digital security expert advises, “mobile security often gets forgotten about. However, with more of us working remotely and using our own personal devices to access corporate information, its importance in 2021 shouldn’t be overlooked.”

While users have become more vigilant about suspicious emails on the computer, they are often less careful about text messages on their phones. Recent figures show, that 98% of text messages are read and 45% are responded to. For emails, the figures are far lower at 20% and 6% respectively. The more intimate relationship we have with our phones is a weakness that cybercriminals seek to exploit.

How does smishing work in practice?

In order to guard against this type of cybercrime, it is important to recognise a smishing attack for what it is. There are three broad types you should look out for:

Smishing for personal information

Bank smishing is one of the most common types of attack. Ironically, it plays on people’s fears of their account being hacked! You will receive a text message claiming to be from your bank, warning you of an irregularity with your account that needs rectifying. You are asked to log into your account (via a spoof link) or call a certain (bogus) phone number to deal with the issue. In reality, this is an attempt to elicit your account credentials and log-ins, meaning your account is now vulnerable to being plundered.

What makes this type of attack so successful is the sheer plausibility of the texts. Many banks do have a genuine policy of texting their customers to alert them of suspicious activity. And if hackers use SMS spoofing techniques to disguise the phone number of the sender, you may not realise that the text was not sent by your bank.

Inadvertently downloading malware

One of the best-known scams of this type occurred in the Czech Republic a few years ago. Users were sent a text message that invited them to download an app purporting to be from the Czech national postal service. Those who complied inadvertently installed a Trojan that accessed credit card information entered into other apps on the phone.

Luckily, installing an app on your phone via text rather than an app store is more difficult. Both iPhone and Android tend to allow signed and verified apps from app stores only. That said, it is certainly not impossible to sideload apps, so constant vigilance is highly recommended.

Sending someone money

Tricking people into sending money is nothing new – we’ve all heard of Nigerian prince scams, or unexpected lottery win schemes where you have to claim your winnings by sending an admin fee. In one smishing attack in the US, a woman received a text from friends (or so she thought) advising her about a government grant that she might be eligible for. This too turned out to be a classic ‘advance fee’ scam: you pay money upfront for ‘taxes’ in order to release the full grant. Needless to say, the money never comes.

How can you prevent smishing?

It cannot be said enough times that vigilance is key when it comes to messages (text or email) that contain a call to action. If you’re not sure that the message is genuine, always play it safe. Here’s a handy checklist that can help you spot and deal with suspicious text messages:

  • Don’t click on a link or call a number contained in an unsolicited text message, and don’t submit any personal information in response.
  • Verify the sender’s authenticity by logging into your account the usual way, or by finding the sender’s website and official contact details online.
  • Common sense dictates that the offer (of a lottery win etc) looks too good to be true, then it most probably is.
  • If it seems unusual that a company would send you a text to download an app or get a discount code, trust your instincts.
  • Delete any suspicious texts straight away. Don’t be tempted to text back STOP, as this will confirm your number is in use and may encourage further messages.
  • Both iOS and Android operating systems will allow you to block text messages from unknown numbers.