Phishing attacks are a pretty serious nuisance. We routinely write about them here on the blog because they are such a popular way for attackers to maliciously gain your personal information. You’ve probably noticed a recent rise in phishing attacks in your SMS messages, a practice also known as “smishing.” Today, we’ll break down some of the basics of smishing and let you know how you can keep your personal information safe from this new wave of attacks.

From Email to SMS

Classically, phishing attacks start in your email; it’s a pretty easy place for a criminal enterprise to start, because it isn’t regulated in the same way that phone systems typically have been. This isn’t exactly the case anymore: since a large amount of email is directly managed by Microsoft, Google, and other large companies, there is quite a bit that is done to “clean up” the email delivery system and filter out bad actors. Over the past few years, the landscape of telephone and text message services has shifted, and for a growing number of users 100% of the SMS messages and phone calls they receive are illegitimate.

Since our smartphones treat SMS messages much the same as they do our emails—allowing attachments and clickable links—scammers are now just as likely to send a “bad link” through text messages. It may change how an attacker gains access to the platform, but it is basically the same project to scam someone from a text message as it is an email.

Recognize and Avoid Smishing Links

Popular scams are ones that imitate companies and banks that you may do business with. Notice, though, that I wrote “may do business with,” because attackers are either guessing, or they’re using some public information to make their campaign more successful. For instance, your phone number is definitely associated with a particular carrier, so scammers will impersonate your phone provider and word the messages in the same way that, for example, a payment confirmation message is worded.

A lot of the scams include the words “gift” or “prize,” claim that there’s suspicious activity on your account, or send information about a non-existent package being delivered to you. The main point of these messages is to get you to click on a link. The link itself isn’t terribly harmful: if you click one and then quickly close the browser, you don’t have to worry about your device being compromised, or having downloaded malware. Clicking on it does let the attacker know that you are a viable target, and incentivizes them to keep sending links until they do get some valuable information.

A lot of us use a second device—a smartwatch—to read text messages, which may make it harder to avoid clicking a link. If you have an Apple Watch or any other smartwatch that has a functional web browser on the watch then you could very easily click on a link in an illegitimate text message. Again, accidentally clicking it isn’t the end of the world, but you definitely don’t want to supply any information thereafter.

Protect your Information

The main point of these attacks is to get you to fill out a form or try to sign in to something after clicking the link (just like in other phishing attacks). It is best practice, for this reason, to never click links from SMS messages, even from seemingly trusted sources. CTIA—a telecom industry group—provides a guide to protecting yourself from spam texts, but just encourages you to report spam messages, which will help the industry to calibrate their spam filters. They also recommend blocking spam numbers, but that doesn’t stop you from getting the messages in the first place.

Knowing how these attacks work can help a great deal, though. If a text message tells you that there is a problem with your bank account, for instance, log in to that bank account via a trusted URL by opening a browser or the bank’s app, to be confident that you’ve navigated to the correct site. Remember that text messages that are legitimately from companies that you have business with will usually ask you to opt-in or set up text message alerts, and that if you aren’t sure what they’re referring to, then the message is likely not legitimate.

-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team