In this post we’re going to talk about ‘Smishing’ in really simple terms.
So what exactly is Smishing?? It’s a bit of a funny name, but what it stands for is “SMS phishing.”
By SMS, I mean SMS texts you receive on your phone.
And by ‘phishing’ I also mean (according to Wikipedia) “the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication”
So basically it’s a form of social engineering, where the bad guys use SMS text messaging to trick you into handing over something valuable e.g. passwords, money etc.
Now, when it comes to Smishing, there are a couple things you need to remember:
To make things easier, let me show you some visual examples:
OK, as you can see, it says on the top, “iCloud”
Now that I’ve scared you, let’s keep moving down the SMS message…Next they’re telling you that your “Apple ID has been locked due to unauthorized login attempts”, which is a common tactic to trigger your emotion of fear, so that you do what comes next…
Here is the most important part, the SMISHING: they want you to click on the Bit.ly link right below the message!
And when you do, it’s GAME OVER!
For the record, Bit.ly links are what we call ‘URL shorteners’ which are a way of presenting a long URL web address inside a short URL web address.
As a simple example, I will change this URL:
Into a Bit.ly shortened URL:
Bit.ly links are VERY popular with the bad guys, because they can hide their malicious link inside a Bit.ly link that looks completely benign.
What’s important to note here is that Apple will never ever send you a Bit.ly link, or any other kind of URL shortener for that matter. And they’re definitely not going to send you a link, in an SMS text message, telling you to go and verify your information on a website!
They might ask you to check your account yourself, but they will never send you a shortened Bit.ly link. THIS IS A VERY IMPORTANT POINT.
Here’s another example:
This one looks alarming right??
Bank of America has ‘apparently’ detected unauthorized transactions, and has been kind enough to warn you that you should click on this link to “avoid suspension” of your account.
Again, as you see, this address they’ve sent you is a ‘Bit.ly’ shortened URL
Keep in mind though, that not ever malicious SMS link will be Bit.ly. There are other URL shorteners, but the important point is that legitimate businesses ESPECIALLY banks, Amazon, EBay, Paypal etc do not send official correspondence like this using URL shorteners. They may warn you of something, but ask you to log in, or call in to their offices without clicking a link.
And a final example, which really is a bit of a joke once you analyze it:
Check out all at the SMS spoofed buzzwords they’ve put at the top: [email protected]. They really laid it on thick in this text message!
All these are there in order to get you to respond, to believe the message is coming from someone of authority.
They even put a little Apple logo in the message! Wow
Anyways, the messages is telling you “Your iPhone has been found” – Well, great news right?!
Mind you, they’re notifying you of this great news on the iPhone that they found, WHICH YOURE HOLDING IN YOUR HAND. It’s ridiculous, and that embedded link should definitely not be clicked on.
One last thing: notice the link URL: hxxp://www.apple.verify.com.de
The website is not Apple, but actually verify.com.de, which is registered in (DE) Germany, obviously not Apple’s official website.
So again, when it comes to smishing, it’s always the same thing: they want you to click on a link.
I understand what you might be thinking right now: how can I be 100% safe when it’s hard to see what’s going on with my phone due to the small screen. My best advice to you is, if you receive something like this, to remember that government agencies, IRS, banks, and tech companies are NOT going to send you these links asking you to verify your information. They might call you (even then you must be very careful about Vishing, which I will blog about very soon), or if they send you a warning text they will not include a link to verify your account.
So be very careful about this. Especially when it comes to:
NEVER click on a link to do either of these is my best advise to you. Log into the corresponding business website yourself, or call them, or walk into their branch to see what is going on with your account.
Please be safe 1:M Secure out there everyone.