It is basically a variant of phishing via email, but more dangerous. And the reason is contained in its very definition. The smishing is a growing phenomenon and it will certainly have happened to everyone to receive an unusual SMS urging us to make a bank transfer for an unpaid bill or, on the contrary, to restore the credentials of our bank account because it was irremediably compromised. It is therefore a technique that exploits the messages received on the smartphone , an essential tool for our daily activities as well as for cybercriminal attacks. , taking into account the disproportionate amount of sensitive data contained within our personal device.
The term “ smishing ” comes first from the combination of the words SMS and phishing : it inherits all the main characteristics of the second ( in particular the techniques of deception and social engineering), but it differs from the equally widespread scams via e-mail for the exclusive use of text messages . The attacker therefore uses the cell phones as a platform to lure new victims, targeting the user's sensitive data. The tricks devised by scammers are quite varied, but in most cases they can be traced back to units based on the underlying purposes: stealing money from the victim or even stealing the victim identity .
At the basis of smishing is the use of the so-called “ social engineering ” technique: we can define it as a psychological manipulation that induces the targeted subject to behaving in a certain way or unknowingly revealing personal information, taking advantage of certain feelings such as fear and greed. In the case of SMS scams , the sophisticated techniques of social engineering are the main key to convincing the victim to click on the link shown at the bottom of the message or interact with it. And to do this, we try to hurry the attacked subject, who will therefore act instinctively under the pressure of fear and the need to get away from a dangerous situation.
In this sense, the messages informing the user that his bank account has been hacked, or those urging him to pay an unpaid bill, well represent the idea of psychological manipulation: in both cases, the victim is pushed to act on the spot, exploiting the worry. How can it be, respectively, to lose your money in the bank or to suffer consequences for non-payment of the invoice.
In more modern versions, it is not uncommon to see computer scams implemented through the use of WhatsApp and other popular instant messaging applications, as is the case with Signal and Telegram : while not technically dealing with smishing , we are faced with a phenomenon that is somehow connected, also because the objectives of the attacker: deceiving the attacked in order to steal personal information or bank details. We could even define it in some way as a sort of “ smishing 2.0 “, taking into account the spread of instant messaging, which especially with the advent of smartphones has almost definitively supplanted the classic “text messages” SMS .
To make the scam more credible, the attacker misuses the name of a known organization or company: banks, debt collection companies, insurance companies, fashion or electronics stores, but it could go on and on. The message is therefore presented as coming from one of these entities and the reason is also quite obvious: it strengthens the credibility of the communication received. Also because people tend to trust an SMS sent from a known and credible name rather than from an unknown contact they have never heard of before.
Psychological pressure, scam. And then? The smishing campaigns are very different, but they can be grouped according to the purposes they generally tend to achieve. The sender or the subject of the message may therefore vary, not the purpose pursued. Therefore, we report below the main techniques used by attackers to lure new victims:
- Click on a link : in this case, the message invites the user to click on a link that should direct to a fake page in which to type some sensitive user data. Among the most recent examples is above all the fake Poste Italiane screen which requires us to enter credentials to access the BancoPosta account. But there are also cases associated with Amazon, e-commerce, banks, insurance companies and much more;
- Reply to the message : in this case the SMS invites the user to reply to the communication received, requesting the insertion of some personal data (for example, the PIN and credentials for banking access);
- Download an app : the message urges you to download an external app – falsely associated to the organization listed in the SMS – containing, in most cases, a malware ;
- Call the number indicated : the classic example is a call to a number that pretends to be the customer service of the company indicated in the message. Instead of solving the problems, the fake operator will ask the user to share their account information;
- Download an attachment : the same applies to the app here, since the attachment to the message is a carrier of malware;
- Send money : in this case the scammer pretends to be an insurance company or a debt collection company and invites the user to make the transfer to the bank details indicated in the same SMS , boasting alleged unpaid invoices;
In short, we are faced with very different cases, albeit united by three characteristics: psychological pressure, deception and request to share sensitive information. Defending yourself from these scams is always possible: just do not panic and above all use a little common sense . And in case of doubts about the authenticity of the message, a simple call to the customer service of the organization involved (the real one, this time) can clarify any doubts. Also because, as Poste Italiane and many other credit institutions are reporting, in no case is the customer asked to enter personal access data, neither by SMS nor by e-mail or telephone.