How Hackers Use Smishing to Steal Your Information

Maybe you already know all about phishing -- when cyber attackers use fabricated emails to trick you into giving them access to your, or your organization’s, information.  And maybe you've heard of vishing - when criminals use phone calls to try to trick you into giving them information.  But now hackers are using a different form of electronic communication to get access to information: SMS messaging, including but not limited to apps such as iMessage, Slack, WhatsApp or Skype. 

Smishing attacks are particularly dangerous because texting and other SMS messaging feel more informal and personal than emails do, so it’s easier to fall into the hacker’s trap without feeling suspicious. Additionally, emails include plenty of clues that might indicate a phishing attempt, including the address of the sender, the formatting of the email, or poor grammar. These clues don’t necessarily arise in SMS formats. 

Don’t worry if you’re not familiar with smishing, or what a smishing attack might even look like. Below, we’ll provide some tips for defending yourself and your organization against this new hacking method. 

  1. When you receive a message, look for the following warning signs: 

    • The sender is rushing you into making a decision.

    • The message asks for personal information that the sender likely doesn’t need access to. 

    • The message sounds too good to be true. 

    • The wording doesn’t sound like the person who is allegedly sending the message to you. 

    • Take a moment to calm down and think before responding to messages. 

  2. If you get an alarming message from an official organization, contact them directly to determine the message’s validity. Most government agencies would never contact you via text, anyway. 

  3. Be aware of messages that combine email and SMS attacks. 

Most of all, trust your intuition. If something seems off, it’s better not to respond, and to report the attempt by emailing [email protected] 
If you think you have fallen for a smishing, vishing, or phishing attempt, please report it to us immediately.

[Thanks to SANS Security Awareness OUCH Newsletter for this content.]