The rising dependence on smartphones in our everyday lives is a well-noticed fact among threat actors. And that makes their game easy in many aspects, especially in triggering various social engineering attacks such as phishing, vishing, and, most popular among them, SMiShing. The Federal Communications Commission (FCC) of the US has recently alerted its citizens about the ballooning of SMiShing attacks across the country.
The scenario in and around Asia is quite similar to that in the US, where bad actors use robotexts, alias SMiShing attacks, to accumulate personal and financial credentials for monetary benefits.
Smishing invokes fraudulent text messages intertwined with spam links from a trusted source. In addition, the link often redirects to a rogue website or social messaging platform to compromise various information from the victimised device. Modern SMiShing messages come with social handle links and phone numbers to lure new smartphone users.
Prevalent SMiShing campaigns
A few months ago, tens of hundreds of Tamil Nadu-based residents reportedly received a message mentioning the state electricity department would cut off their electricity connection and asking them to call a particular number for further help. The spiteful scam victimised many innocent users and looted millions. Later, the state electricity department, Tamil Nadu Generation and Distribution Company (Tangedco), issued an alert against the smishing scheme. However, in the SMiShing attack, the victims were asked to send 10 INR as a trial and later found their bank accounts offloaded. Interestingly, the social engineering attack campaigns primarily targeted 50-plus-aged people.
The Tamil Nadu incident is not the only SmiShing schema running in the country. Most of us have received at least one SMiShing message every week. The common aspect of all the SMiShing campaigns is creating a sense of urgency to compel the victims to click the message link.
Read More: Fileless Malware And LOLBins: Everything You Should Know
For instance, you may receive deceptive messages offering you a job, winning the lottery, concerning package delivery, unpaid bills, law enforcement actions, prompting feedback, offering help, and so on.
Another smishing campaign is making the rounds, claiming to offer a high-paying job. So naturally, a person urgently looking for a job will click on the given link and land on a WhatsApp chat window, waiting to lure the person.
One more prevalent smishing campaign claims that your bank account has been suspended for not updating KYC and prompts the victim to click on a link.
Innumerable State Bank of India customers were duped by the account suspension message, thus compelling the bank to release awareness campaigns and contact information for the victims. Even the Indian Press Information Bureau (PIB) released an alert for the notorious event.
The FBI alert
The US Federal Bureau of Investigation mentioned India as the third most affected country with phishing attacks, of which smishing holds a significant number.
Although most smishing campaigns target random users often, adversaries launch such attacks on specific targets to steal more personal information or compromise their devices.
Read More: C2-As-A-Service (C2aaS) And Its Evil Impact On The Global Threat Landscape
Final Note: Safeguard Checklist
Smishing is one of the most infamously practised techniques for many reasons. It uses its bait over text messages and has a much higher success rate than other social engineering techniques. So it’s high time to safeguard yourself and your business from such prevalent attacks.
- First, you should learn to detect such messages by predicting the sender’s intent. For example, if you get a message regarding service issues, you should immediately skip the message and connect with the concerned authorities.
- Never share your personally identified information (PII), such as your name, mother’s name, birth date, passport details, etc., in response to any message. If a message sender asks for your username or password, block the sender immediately.
- Never respond to messages sent by an unknown number, even if they prompt you to unsubscribe from a particular service. Sometimes, consters send messages via text software similar to a trusted source, such as banks and other financial institutions. Read the sender’s name carefully before responding to it.
- Even though it reads repetitive, you should always pay attention to the grammar and typographical errors in the message. If a URL is mentioned in the message, read it before clicking and type the primary URL on the device browser to check its authenticity. The best practice is to avoid any links that appear on your device via messages.
- Never be in a hurry to respond to any messages on your device. You should instead take some time and read it carefully before replying to any of the letters you have revived.
- Block all the suspicious senders and delete the trails of messages you have received.
- Many smishing schemes nowadays invite you to a WhatsApp chat to snitch critical information for more sophisticated social engineering attacks. So block the WhatsApp number immediately.
- A few smishing schemes come loaded with the ability to exploit any vulnerabilities on your device. Therefore, block such incoming nuisances and update your device software.
- Never install any cracked app on your device or visit third-party stores to browse free apps. Likewise, never install apps that prompt you to download from the web.
- Install K7 Mobile Security as a watchdog to eliminate all the incoming evils from your phone. The state-of-the-art security suite takes care of your device’s security aspects and lets you focus on your user experience.