Smishing and how not to fall for it

[Baofeng]

What is Smishing?

A form of phishing, smishing is when someone tries to trick you into giving them your private information via a text or SMS message. Smishing is becoming an emerging and growing threat in the world of online security.

https://us.norton.com/internetsecurity-emerging-threats-what-is-smishing.html

And why should everyone be concern about it? Well, we all know that majority of us has cellphones and one time or another have received certain text that came from a company and really looks legit. They can camouflage it by giving you 20% discount of coupon code or something like that.

Yesterday, my wife received such text, however, since I'm not with her that time, she immediately click the link without me knowing. And she was very happy getting about discounts on some store. But I'm a little bit hesitant about it and my suspicions grow. I told here to call the company and see if it is legit or not. And lo and behold, it was a smishing attempt. So I immediately erase and and do a hard reset on her cellphone, for security purposes. Good thing I don't have any crypto wallet installed on her phone, otherwise I may have lost all my funds.

So I dig deeper on how we can prevent such attack, and then I came across U.S. Short Code Directory. How can this help us? You can look at the directory and check whether the text you received is from a legit source. I know it's US base only, but this small and subtle detail can make a big difference. Of course, a combination of skepticism and common sense is still the best weapon for this kind of attacks. But if you are a US based, I urge you to look at the code first before doing anything that you will regret later.

[GreatArkansas]

So I immediately erase and and do a hard reset on her cellphone, for security purposes. Good thing I don't have any crypto wallet installed on her phone, otherwise I may have lost all my funds.

Does she download something when she visited the website provided by the SMS message?

And if the user doesn't download any file after the visit of the website, does it still prone to any serious attack or any hacker can get inside into your device? I'm just curious about it, especially when it comes to mobile phones.

[Coyster]

And she was very happy getting about discounts on some store

More often than not, it's "greed" that lures enthusiasts(individuals)to fall victim to scam.Thats why scammers usually embellish such messages with one discount or the other, and this makes it more attractive though too good to be true.

And if the user doesn't download any file after the visit of the website, does it still prone to any serious attack or any hacker can get inside into your device?

It's still inimical for one who clicks on such links, if you click on a suspicious or an evil link, the hacker(depends though)already has an access to your device and can steal your assets and funds.

[DdmrDdmr]

Smishing can also be performed through other communication channels other than sms, such as Whatapp. A typical case would be that of a text message sent from an alleged bank, indicating that a suspicious TX has been performed with your credit card. Customer is then prompted to call a support (fake) phone number where the scammers, pretending to be the bank, ask for certain personal information in order to, supposedly, cancel the suspicious TX. This is a real case going on with BBVA.

Note: Apart from phishing and smishing, there is also vishing (voice phishing).

[o_e_l_e_o]

So I immediately erase and and do a hard reset on her cellphone, for security purposes.

Make sure she didn't also try to log in to anything after clicking the link in the SMS. Often sites like these will prompt users to log in with their Google/Facebook/Microsoft/Samsung/similar account to "access" these special offers. Obviously you'll need to change passwords and look out for any suspicious activity if she did type her details in.

[LTU_btc]

I would say that smishing is more dangerous than other types of phishing, for example email. In email it's quite easy to spot that that email is fake, you just need to check email address of sender. In SMS it's more difficult to spot fake message. It's usually sent from unknown number and link is hidden under shortlink. So, I'm trying not to click any links so SMS, even if it looks that sender is legit. What you can do after getting suspicious message - try to Google phone number of sender, maybe it's already been reported before. Or you may find information that this number is legit.
I think that smshing is quite rare because it's not cheap thing for fraudsters - if they want to send large number of messages it can cost quite expensive.

[Lucius]

I think that smshing is quite rare because it's not cheap thing for fraudsters - if they want to send large number of messages it can cost quite expensive.

I get some messages of that type, but mostly on WhatsApp or Viber and ignore them always. This is very cheap way to send big number of messages for free, and some people just click on anything without any checks. I am not sure is there some app for blocking SMS that come from unknown numbers, same as blocking calls by different categories (black list, unknown numbers, international numbers).

I use G-mail and most of spam go directly to Spam folder, it would be nice to have something similar for SMS. Some sort of SMS spam filter on mobile service provider would be good solution, but Viber and other similar apps should make something similar on their platforms.

[hilariousetc]

Don't forget about catphishing as well. That's when some dude pretends to be a female to try get their victim to let their guard down and send them bitcoins (because obviously a woman would never scam anyone - they're far too nice for that). Seen it happen a fair few times here and there's probably much more that we don't see as people will be too embarrassed to come clean and then also all the attempted times - users like Alia etc: https://bitcointalk.org/index.php?topic=3032057.0

[Pmalek]

Does she download something when she visited the website provided by the SMS message?

And if the user doesn't download any file after the visit of the website, does it still prone to any serious attack or any hacker can get inside into your device? I'm just curious about it, especially when it comes to mobile phones.

Don't confuse phishing with malware and viruses. They usually don't include any type of malware as the people behind the attacks are looking for login details for you bank/paypal or credit card numbers and those who get phished unknowingly give the hackers that information.

I assume that the SMS OP's wife received contained a link where she was either asked to login to her online banking/paypal or they were asking for personal information - her identity, which could then be misused or sold.

[pedpedped101]

My first time of seeing the word smishing and also getting a meaning to it.
This is one of the predominant ways of being scammed these days. Although i am nit from the US, but i also receive some texts on my cellphone that looked suspicious, but because of my knowledge of internet fraud, i never bothered on click on them, because i do not look for cheap things around.
This us a helpful post though.

[Harlot]

Best way to know if the text is a scam or not is when you received that you've won something or have been picked for a promo when you didn't join/participate in any kind of contest at all. This only means that someone just sent you a random text from their spam directory. Best thing to do is to block their numbers and delete their messages for you to avoid on accidentally viewing them. Just remembered that if you haven't participated on something and you receive these kinds of messages best is to avoid it.

[bernardos]

Best way to know if the text is a scam or not is when you received that you've won something or have been picked for a promo when you didn't join/participate in any kind of contest at all. This only means that someone just sent you a random text from their spam directory. Best thing to do is to block their numbers and delete their messages for you to avoid on accidentally viewing them. Just remembered that if you haven't participated on something and you receive these kinds of messages best is to avoid it.

But imagine if the SMS comes from someone pretending to be a representative of a brand you often buy. Imagine you just bought yourself a new pair of sneakers and you are getting a 50% discount as a promotion for your loyalty. People could easily fall for that.

[Herbet Fry]

You have to actually install something and download it to be infected. even if you infected how it steal your privatekey?

Best way to know if the text is a scam or not is when you received that you've won something or have been picked for a promo when you didn't join/participate in any kind of contest at all. This only means that someone just sent you a random text from their spam directory. Best thing to do is to block their numbers and delete their messages for you to avoid on accidentally viewing them. Just remembered that if you haven't participated on something and you receive these kinds of messages best is to avoid it.

Yes exactly. Like if you shopped at a place a few weeks ago and they send you a discount then that makes sense. If you get one from a place you have never heard of you can just look at the link to see exactly how to redeem the voucher. People should be checking the terms of use. You will be able to determine if it is legit or not with ease by this stage.