Phishing emails are a sad fact of life, and most of us are used to dealing with them - but cybercriminals are increasingly turning to SMS to reel in their victims.
For cybercriminals, SMS attacks have some key advantages - for instance, on a smartphone, you can’t “mouse over” a link to see what it contains.
People are also used to shortened URLS in text messages - in an email, they look suspicious - so are more likely to click.
SMS phishing emails use various tactics - from fake phone numbers to call or text, or links directing users to infected sites. Most sound urgent - your phone's infected, or there's a special offer you have to grab quickly. It's a growth area for cybercrime.
“With falling rates for sending SMS texts these days, and an increasing number of target smartphones, there is an attractive and target-rich environment for cyber-scammers.” ESET malware researcher Cameron Camp says in a detailed analysis of how such scams work.
It pays to be careful - particularly on Android phones, where the malware market is booming. Our SMS security tips should help you avoid clicking something you’ll regret.
Don't fall for texts from your network which ask for details
Your phone network will often text you - if you’re abroad, for instance, to warn of data roaming rates. But networks won’t ever ask you to confirm or verify your details. If you see a “security” text which asks for a password, or any other details, don’t click the link, and don’t call any numbers in it. Contact your network via their website, or via their phone number (the real one, not the one in the SMS).
If you see a "business" phone number in a text, it's no guarantee it's real
Many SMS phishing attacks will include “toll free” numbers that look like legitimate business ones - they’re not. Cybercriminals can set up these numbers easily and cheaply, and if you phone the number, you’ll usually be asked to “confirm” details - handing them over to the fraudsters.
Don’t reply with “STOP” if you’re being spammed - contact your network instead
If you’re being spammed repeatedly, and the SMS contains an instruction to text back with “STOP” to cut off the emails, don’t. This will simply tell the spammers that you’re there, and they’ll intensify their attacks. Your network will be able to block SMS from specific numbers (as can apps such as ESET Mobile Security and Antivirus.
Be very suspicious of “special offers” - especially ones where you have to “act fast”
Phishers commonly send out SMS attacks in the form of “special offers” from big companies - such as a $1,000 gift card, where only a limited number are available, and you have to click a link to cash in. Previous WeLiveSecurity reports on these scams can be found here. The website you arrive at, though, won’t be the real one - and you will end up installing malware, rather than earning yourself a shopping spree. High-value “special offers” that sound too good to be true usually are. If it’s your local pizza place offering two-for-one on Tuesdays, you might be safer. Think first, and think hard if you’re being asked to click a link.
Set your phone to block apps from unknown sources
Many SMS phishing attacks aim to fool you into installing malicious apps - particularly on Android. As a precaution, block installation from unknown sources (it’s in Android’s Settings menu). If you have to unblock this (for instance to install a work app), set it back to “blocked” when you’ve finished. If you do make a mistake, this gives you another line of defence. It's also worth using Google's built-in "Verify Apps" function, which monitors apps for suspicious activity.
Don't fall for texts from your bank which ask for "confirmation details"
Your bank may well text you - for instance to confirm a transaction on PC - but bank texts will not, ever, ask you to confirm details, or for passwords. Banks also won’t update their apps in this way. If you’re suspicous, don’t click links, don’t call any numbers in the text. Instead, call your bank on its “normal” number - Google it if you don’t know - and check whether the text is from them.
If you're an Android user, protect your phone with an antivirus app
Google's own Verify Apps function is a useful first line of defence - and Android users should turn it on. Security apps such as ESET’s Mobile Security and Antivirus add a few extra layers of defense, blocking known phishing attacks - and scanning all apps on your phone for malicious activity in real time. You can also block specific numbers from texting you - or block all unknown senders.
Don’t fall for warnings saying, “Your phone is infected”
Recent SMS phishing scams use a bogus “security alert” to scare users into installing fake antivirus apps. Reputable security companies will not “push” products in this way. ESET’s Cameron Camp says, “Malware posing as security apps, also known as “scareware”, are some of the most pervasive scams on Android in recent months.”