You know all about phishing scams via email, and you are careful to never click on a link you don’t recognise. But how careful are you when it comes to messages on your phone? Are you confident that the SMS from the bank, or the link sent to you via WhatsApp from your friend is genuine, and not a smishing text message?

We use our smartphones for pretty much everything. From online shopping to reading the news, booking doctor appointments, or reserving a slot at the post office. People tend to give their phone about 50% of their concentration, skimming messages and tapping on links without thinking about where it will take them. As a result, SMS phishing, or smishing text messages as they are commonly called, are increasing in popularity with cyber attackers as a way of gaining access to individuals’ phones.

And as always, smishing is evolving, moving from traditional SMS text messages to malicious messages on popular apps such as WhatsApp.

What are smishing text messages?

Smishing texts, or SMS phishing, is a form of cyber attack using mobile phones. Smishing text messages are scam messages designed to enable cyber criminals to steal money or identities, or infect a device for a bigger prize. Popular examples of smishing text messages include fake messages from banks requiring urgent action, or offering a limited time deal on an iPhone (for example).

Smishing text messages can do the following:

– Include a malicious link or attachment that if downloaded could install malicious software onto the victim’s phone.

– Send victims to a malicious website that asks for personal information including names, date of birth, payment card details, and more.

– Simply ask the victim to reply with a piece of personal information, payment details, or more.

Why are smishing text messages successful?

Smishing attacks currently appear to be successful in luring victims to interact with them for a number of reasons.

Lack of education about smishing attacks

While there are constant reminders how to recognise a phishing email, there is still relatively little information available in company cyber security training schemes or general literature about SMS phishing attacks. As a result, people are less vigilant about smishing text messages, compared to phishing emails.

SMS phishing text messages manipulate their intended victims

Smishing text messages are designed to manipulate the receiver into doing something, usually in a hurry. Smishing texts often include messages such as ‘urgent’, ‘act now’, or ‘don’t miss’. 

They also often pose as banks, government agencies, or even friends or close contacts, creating a false sense of trust that lures their victims in, as people are more likely to tap on a link from someone they trust without thinking about it.

They are more difficult to readily identify

Many of the recognisable features in a malicious email aren’t available in an SMS.

For example:

– SMS messages don’t have a sender address that you can quickly verify. When it comes to SMS, attackers can use a borrowed name, or a short number that they have taken from another source. In addition, SMS text messages can be sent from computers with a generated short number.

– Some SMS scammers can insert their message into an existing chat thread, making them look like the continuation of a chat good enough to fool even some professionals.

– Basic SMS messages only contain texts and links. This limits the small details that are obviously wrong, such as spelling errors, poor quality logos. These things may come later in the chain, but usually after a victim has already clicked on a link, infecting their phone.

People interact with SMS messages quickly and without thinking

People tend to spend even less time reading text messages on their phone than they do reading emails. This means that they are quick to skim a text and click on the link before they have even thought about what they are doing.

An evolving threat: The WhatsApp worm

The latest in smishing text messages is a new Android worm which is spread via WhatsApp as a form of automated smishing text message.

TheWhatsApp worm works by replicating itself on a victim’s phone and then sending automatic replies to chats that the victim has with their contacts in WhatsApp. The worm is sent as a link to a fake app (usually to a fake version of the Huawei mobile app, but also other apps have been reported, including a fake Netflix app). The worm also tries to make itself look more legitimate by only sending once an hour even if the victim is having a lively chat with their contact. 

The intention is that because the smishing text message is sent as a reply to another message, it looks as though it came from a trusted source, and is more likely to be downloaded by other victims. Once installed, the attached malware appears to be mainly aiming to generate advertising revenue for its creators by spamming infected users with adverts, but it could also be used for any other purpose at any time, including spyware, banking trojans, or even ransomware.

As well as replicating itself in automatic messages to WhatApp contacts, the fake app will also make other changes to a victim’s phone such as requesting permissions to run in the background at all times, and using this permission to override battery optimisation rules, so that is drains the phone’s battery, and remains connected to the internet, using up data.

Follow these tips to stay safe from smishing text messages and malicious apps:

1. Don’t tap on links or attachments in SMS, WhatsApp or other messages on your phone unless you can verify the sender, or that they meant to send it.

2. Think before tapping. Take a second to think about the contents of the message before tapping on the link. If you are uncertain about it, report it a spam, or delete the message from your phone. And if the offer sounds too good to be true, it probably is.

3. Never download an app from outside an official app store (Google Play or the App Store). For example the WhatsApp worm above takes victims to a site outside the Google Play store to download the app, bypassing Android’s security.

4. If you receive the same message many times from the same sender, don’t tap on it, as it could be an automated spam message.

5. Think about the permissions the app is requesting. Are they reasonable for the services the app provides?

6. Check your app settings to ensure that apps can’t install apps on their own. This is usually done by going to Settings > Apps > Special Access > Install Unknown Apps.

7. Don’t reply to a suspicious looking message. Especially don’t reply to messages that request important information. Never share important information over text message.

Stay safe.