August 24, 2021
Smishing attacks are on the rise, capable of stealing credentials and distributing malware right into that device in the palm of your hand – your phone. The term smishing is a combination of “SMS” (short message services, widely referred to as texting) with phishing.
Cybercriminals and nation-state actors continue to launch new smishing attacks daily, using mobile phones as the attack platform to gather personal details, like maybe an SSN or credit card number.
“These schemes have dramatically increased,” says David Ginsberg, PrivaPlan president. “With smishing, the threat is clicking the text link which installs malware on the phone that can then harvest credentials if they are saved on the device.”
For example, Senior Strategy and Research Analyst at Digital Shadows Michael Marriott described a new Android banking Trojan called “AbereBot” that is being sold on cybercrime forums. Since the Trojan targets mobile devices, it’s distributed via text messages. “This is just one recent example, and barely a month goes by without another Android malware making news headlines,” Marriott says.
Earlier this year, FluBot was reported to have spread quickly with a text appearing to be from a delivery company prompting message recipients to download an application that would enable them to track a package. Instead, the malicious application enabled the attacker to capture their banking credentials.
With more and more people using their personal smartphones for work, smishing is becoming a business threat as well, and according to Cloudmark, it has become the leading form of malicious text message.
How can you avoid falling for these scams? PrivaPlan’s Cybersecurity Literacy Training expert Michaela Kahn gathered up these recommendations:
- Only download apps from App Stores.
- If you suspect you have clicked a malicious link, reset your device to factory settings and change the passwords on any accounts you had entered since the infection.
- Even non-Android phone users need to be wary!
- Beware of common manipulations such as: scare tactics, offering something for nothing, or switcheroos where you are asked to log into to something unrelated to the original message (such as being asked to sign in your banking credentials to track a package).
- If you fear a message might be true, such as that a credit card was used for a purchase you didn’t make – don’t ever use an email or SMS/Text link to find out. Call the service directly using phone numbers provided on your card – or log in as you normally would.
If you have further questions about this or other security issues, please reach out to us. We’re here to help. Email firstname.lastname@example.org or call 877-218-7707.