Open in app

Sign in

Write

Sign in

Text Message Scams: A Growing Trend

Ty Mezquita — CyberHoot
5 min readApr 26, 2022

Anyone who owns a cellphone has likely received an unexpected text message from a number they don’t recognize containing a link to be clicked on. Since April 1st of 2021, there has been a 6-fold increase in these nuisances and potentially dangerous texts. If you are to click on one of those links, you may be handing hackers valuable information they can use to swipe your bank account balance, fake your identity or even track your whereabouts. This type of social engineering attack is called ‘Smishing‘, which is simply Phishing through SMS text messages. They tout obvious bait such as energy-boosting supplements, cash prizes from major retailers, or CBD gummies in new flavors. Some are more subtle, masquerading as COVID test results, shipping notifications, or alerts for online payments that didn’t go through. Either way, they’re dangerous and getting more popular with cybercriminals.

Smishing Attacks

The vast majority of phishing attacks are attempting to grab personal data from unsuspecting consumers by way of an email. Cybercriminals, however, are increasingly taking advantage of distracted consumers who are rarely without their smartphones to trick people out of their logins and passwords, credit card or other financial information, or even access to their corporate networks. Take a look at the images below to get an idea of how they’re trying to trick unsuspecting users:

The Federal Trade Commission reports that scam texts cost US consumers $131 million last year, up from $86 million in 2020, and accounted for 21% of all reported fraud. More recently, Proofpoint detected a five-fold jump in mobile malware attacks in Europe starting in February. Those attacks included smishing attempts, as well as attacks in which malware was sent directly to devices through a malicious app. Could it be tied to the war in Ukraine which started then? CyberHoot suspects but cannot prove a link.

Proofpoint researchers note that smishing is becoming the attack method of choice for cybercriminals looking to compromise mobile devices, especially Apple’s iPhones. Recently, Pegasus, one of the most powerful pieces of spyware ever developed, was first able to worm its way into the phones of countless government officials, journalists, and human rights activists after they clicked on a malicious link in a text message or email.

What Can You Do?

In general, you don’t want to reply to text messages from people you don’t know. That’s the best way to remain safe. This is especially true when the text comes from a phone number that doesn’t look like a phone number, such as “5000”, or “452–981” number. This is a sign that the text message is actually just an email sent to a phone. You should exercise basic precautions when using your phone such as:

  • Delete messages requesting personal information and never click on links you get on your phone unless you know the person they’re coming from. Even if you get a text message with a link from a friend, consider verifying they meant to send the link before clicking on it.
  • If you are an AT&T, T-Mobile, Verizon, Sprint or Bell subscriber, you can report spam texts to your carrier by copying the original message and forwarding it to the number 7726 (SPAM), free of charge.
  • To block spam messages — but not all incoming texts from friends and family — call your carrier’s customer service number (usually 611) and instruct them to “Block all text messages sent to you as email” and “Block all multimedia messages sent to you as email.” You also might be able to log into your account online and activate these blocks there.
  • Never install apps from text messages. Any apps you install on your device should come straight from the official app store. These programs have vigorous testing procedures to go through before they’re allowed in the marketplace. If you have any doubts about the safety of a text message, don’t even open it.
  • Ignore text messages asking you to update settings or unsubscribe from a service that you haven’t signed up for. Don’t even reply with STOP as that tells the hacker you’re really there and they will intensify their attacks.
  • Block phone numbers you receive smishing attacks from to prevent further attempts. To protect your sleep, enable your sleep settings to block all messages at night during your normal sleeping hours.

Remember, it only takes one bad text to compromise your data, phone, and personal security. With just a little bit of common sense and caution, you can make sure that you don’t become a victim of a smishing attack.

Additional Cybersecurity Recommendations

Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

  1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
  2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
  3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
  4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
  5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
  6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
  7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

All of these recommendations are built into CyberHoot the product or CyberHoot’s vCISO Services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

Sources:

CNET

Additional Readings:

Smishing, The New Phishing

UK Census Smishing Attack

PayPal Smishing Attack

Cybersecurity
Phishing
Information Technology
Information Security
Scam

--

--

Ty Mezquita — CyberHoot

Written by Ty Mezquita — CyberHoot

26 Followers

A writer for CyberHoot, a cybersecurity company that helps society become more aware and more secure: https://cyberhoot.com/

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams