If the smartphones of ESET bloggers are any indication, scams executed via SMS text, known as smishing or SMS phishing, are on the rise. I don't do a lot of texting, which makes a smish easy to spot on my phone, but I just read an amazing statistic from a Pew report: Users 18 to 24 years send or receive an average of 109.5 SMS texts sent per day. With this flurry of micro-sized messages, it’s easy to understand why users might not check closely before clicking on a convincing-sounding link on a text that looks like it might have come from a friend or legitimate company. When you do, your troubles may just be beginning.
Sending messages designed to trick the recipients into clicking on a deceptive link was once reserved for fake but real-looking scam emails trying to fool users into visiting malicious sites on their PC, but scammers have realized there are (on average) far fewer protections on smartphones, and no small number of potential victims.
It had to happen, just a few years back you only used your mobile phone to make calls, but now it’s become much more. For everything from surfing the web, to sending emails, viewing videos and listening to music, your mobile device is more like a computer that just happens to make phone calls. It also happens to contain a lot of your personal information, making it readily available.
If a scammer can trick you into visiting a malicious site that attempts to get you to install malicious snooping or premium-rate SMS apps which may be wrapped around legit apps, that may just be the beginning of trouble. Many users wouldn’t notice an app silently sending premium-rate SMS texts to some far-flung country, until they got the bill. But things can get dicey when you try to convince your cell provider to reverse the charges. And the app you downloaded may look and function the same as the legitimate app by the same name, so you’d be none-the-wiser, at least at first.
In our example above you can see the domain name looks legit, until you realize that the end of the URL belongs to a website very different from Wal-Mart. But if you’re in a hurry would you spot this?
Of course, one thing we should note in this example: it’s extremely unlikely that Wal-Mart has suddenly decided to dole out $1000 gift cards to a lucky few. This one even creates a fake sense of urgency by claiming you’d better act before the remaining 161 are claimed. Sound fishy (pun intended), but hey, these things propagate because similar SMSishing campaigns worked, and the numbers seem to be growing. With falling rates for sending SMS texts these days, and an increasing number of target smartphones, there is an attractive and target-rich environment for cyber-scammers.
Defending Against Smish
So what can you do to protect yourself? The first thing I suggest is restricting your mobile app downloading to the official marketplace for your device, not some third party website. The official marketplace portals, such as Google play for Android, increasingly have scanners in place to detect and remove malicious or scam apps, giving you a margin of safety.
Also, in the same way it’s not a good idea to just click on email links without thinking, you should think twice about clicking on SMS text links before you do. It’s easy enough to open a link in your mobile browser and navigate directly to the website in question – without following the link.
You might also want to lock down your device using its security setttings or even install security software that can spot scams before you fall for them. If you beef up your security on the device, it will help reduce the access potential scammers have to your personal information, and make you a tougher target to exploit – via SMSishing or any of a variety of other scams that are targeting mobile devices.
FYI: ESET Mobile Security for Android is now available through the Google play store.