Smishing: SMS scam is still in play

With the development of technology, cybercriminals actively use mobile devices to scam users. The canonical example is a smishing scam (smishing stands for “SMS phishing”). It is a phishing attack where text (SMS) messages are used to obtain sensitive data. Below, we will discuss in detail what smishing is and how it works, describe real cases, and explore how to get protected against this type of scam.

Smishing is a type of scam where criminals send the victim text messages (SMS) that look like messages from trusted sources, such as banks, cryptocurrency exchanges, various platforms or government agencies. These messages often contain links to fake websites where the user is asked to enter his or her personal information, logins, passwords, financial data, which are then used to steal money.

People often confuse the words phishing, vishing, smishing and pharming, mainly because they sound the same. Therefore, the best thing to do is to clarify what is unclear.  Vishing and smishing are both the forms of phishing; however, while the former uses voice calls, the latter uses SMS messages to attack users.

While it is totally clear what smishing and phishing are in plain terms, pharming is another type of scam that is close to phishing. It is a type of attack that covertly redirects unsuspecting users to fake websites where malicious software is then installed or sensitive data, such as passwords and credentials, are stolen. To this end, scammers often use a navigation structure (a hosts file and domain names, or DNS). So, you should be always alert.

The smishing process can be divided into several steps:

1. Preparations. Scammers collect information about the potential victim, including data from social media, publicly available databases, or hacked accounts.
2. Sending an SMS. Scammers send the victim an SMS message which looks like it is sent from a legitimate source. The text may include a request to confirm a transaction, update credentials, or undergo a verification process.
3. Redirection to a fake website. The message often contains a link to a website that mimics the official website of a trusted entity. The user follows the link and enters his or her data, unwittingly revealing them to the scammers.
4. Stealing of data. The scammers get information entered by the user and use it to access accounts and financial funds or for further attacks.

There are various types of SMS phishing attacks. As a rule, it’s up to the resourcefulness and imagination of scammers. Some of the commonly used schemes include the following:

1. Fake messages from crypto exchanges or other platforms. The victim receives an SMS message from a fake exchange technical support team with a notification of suspicious activity on his or her account. The message contains a link for the “confirmation” of credentials that brings the victim to a fake website where he or she enters private information.
2. Messages on giveaways and other good promotions. The victim receives an SMS message about a sudden bonus, very lucrative airdrop or any other surprise.  To receive it, the victim is asked to follow the link and enter his or her personal data, which are then stolen.

We have understood what vishing, smishing and phishing are in plain words, and now it’s time to talk about real-life examples of these attacks. They are numerous, but we will consider some of the most well-known ones. 

• Smishing on behalf of Binance

In 2019, users of the Binance cryptocurrency exchange began receiving SMS messages sent on behalf of the exchange.  They claimed that suspicious activity had been detected on the user’s account and asked the user to confirm their data for security purposes. The message contained a link to a fake website which mimicked Binance’s infrastructure. Users entered their logins, passwords, two-factor authentication codes on this website, after which the fraudsters would get access to their accounts and steal cryptocurrency.

• Fake communications from Coinbase

Users received SMS messages sent on behalf of Coinbase that asked them to confirm their identity due to new security requirements. The messages contained links to a fake website where users entered their credentials. The scammers used this information to access victims’ accounts and steal money.

• Smishing on behalf of Trezor crypto wallet

In 2020, users of Trezor hardware wallets began to receive SMS messages stating that the wallet software needed to be updated due to detected security vulnerabilities.  The messages contained links to a fake website where users were asked to download a fake update and enter his or her seed phrases. After that, the scammers would receive full access to the victims’ wallets and steal cryptocurrency.

• Fake messages on upcoming initial coin offerings (ICOs)

In the period of mass interest in ICOs (selling the first limited issue of cryptocurrency to investors), fraudsters sent users SMS messages with an offer to take part in exclusive sales of tokens of new projects. The messages contained links to fake websites, where users were asked to deposit cryptocurrency to buy tokens.  But after depositing, they did not get anything, and the scammers disappeared with their money.

• Smishing on behalf of CoinDesk, a website for crypto news 

Users received SMS messages sent on behalf of CoinDesk about the detection of a critical vulnerability in a popular cryptocurrency wallet that asked them to urgently follow a link in order to get security instructions.  The link led to a fake website, where users would enter their personal information and seed phrases and lose their funds as a result.

1. Do not click on links in suspicious messages. Now that you know what smishing and vishing are, it should be obvious. If you receive an SMS messages with a link, do not click on it, especially if the message seems suspicious to you.
2. Verify the authenticity of messages. If you receive a message from a crypto exchange, wallet or any other platform, contact them directly via their official communication channels stated on their websites. 
3. Use antivirus software and filters. Install antivirus programs on your devices and enable filters for protection against malicious links and applications.
4. Educate yourself, your family members, colleagues and employees. Knowledge about various types of fraud will help you not to fall a victim. You can use our Penetration Test service to test your employees for the ability to resist smishing and other social engineering attacks. Contact our experts and they will tell you the details.
5. Be vigilant if you receive messages that invoke the sense of urgency, fear or excessive euphoria. Scammers often use these techniques to compel the victim to act without thinking.  After all, simply put, smishing is, in many respects, about emotional pressure.
6. Do not give up if you have fallen victim of an attack.  At SEVEN SENSES, we have an extensive experience investigating crypto incidents and recovering stolen funds. Contact us, and we will advise you on your particular case.

So, we have figured out what smishing, phishing and vishing are about. In the modern digital world, smishing obviously remains a serious threat. Fraudsters use text messages to deceive users and steal their confidential information. However, by following simple security recommendations, you can considerably reduce the risk of becoming a scam victim. It is important to be vigilant, verify messages you receive, constantly improve your knowledge of methods for protection against cybercriminals — and seek for help from professionals, if necessary.