Protect yourself from smishing

Attackers in cyberspace are constantly looking for ways to extract information or money from their victims. Perhaps, the most popular way is phishing, i.e. fraudulent messages, in which the attacker tricks the victim into handing over financial or personal data.

Phishing can take many forms – via e-mails, chat services and even phone calls. However, phishing has not missed SMS messages either.

Smishing is a form of phishing activities carried out via SMS or other services that enable a text communication in real time (of course except e-mails).

Methods of attack are very similar to a typical e-mail phishing. The attacker can write an SMS or text message in different ways. For example, the attacker inserts in the SMS message a link to a malicious page from which a malicious code is installed on devices or lures the victim into revealing different types of data (personal data, payment card details or login credentials to financial services, such as Internet banking, and so on.). Or the victim receives an SMS with, for example, a phone number which he should call immediately and act as directed by the attacker.

The advantage of SMS or text messages is their speed of delivery and relative shortness. The attacker does not have to deal with an intricate story, but just write an urgent message that looks legitimate at first glance. Even the sender’s name can be modified so that it does not display a number, but the text. There are often cases in which the attacker disguises himself as Slovenská pošta.

How can the attacker obtain your phone number? There are several ways, for example, by purchase of a database on the black market that comes from the data leaks in the past. There is a good chance that phone numbers are still valid, as you can change the password quickly, but you will probably not change your phone number due to data leakage. Another option is simpler – there are tools that can randomly determine numbers based on certain rules of a particular country. The attacker thus sends smishing messages randomly. Last but not least, the attacker can also access large databases of phone numbers available to marketing agencies. They either steal them or buy them properly. With other platforms that are not linked to a phone number (e.g. Facebook Messenger), it is even easier. The user database is more or less open and accessible, so the attacker can write to individual users without major restrictions.

Detection of such a message is, in principle, very simple. The driving factors of such messages are: trust (the sender is posing as a trustworthy institution, for example a bank, a postal service, and so on), urgency (the victim should take action immediately) and context (the attacker exploits the current situation). For example, the attacker may create a message that comes from Slovenská pošta (or a courier company) about a parcel delivery. You have to click on the link in the message that will redirect you to the website where you should enter your data – most often your first name, surname, home address, card number, and so on. The message contains an urgency factor that if you do not click on the link and do not enter the data, the parcel will be returned to the sender. Especially nowadays, the parcel delivery is an everyday occurrence and anyone can easily be targeted.

How to protect against smishing? It is similar to typical phishing attacks:

  • First of all – do not respond and do not react. If the message seems suspicious, do not react and do not click on links.
  • If you received such an SMS or text message, slow down and give it some thought. Ask yourself simple questions – Have I really ordered a package? Did I make any payments? Can anyone ask me to do this?
  • Never provide your personal and financial data via SMS and text messages or links therein. No one except you is entitled to them.
  • If you receive a message for example from your bank, check the message via another channel, e. g. call your bank infoline or your personal bank adviser if you have one.
  • Do not trust the sender, whether it is a phone number or a name. The attacker can disguise himself as a trusted name or phone number. Therefore, always check such messages via official channels.

If you have received such a smishing message via SMS, please report it to us. There are two ways how to do it:

  • forward this SMS together with the phone number of the sender and recipient (your phone number) to our phone number + 421 903 993 706;
  • copy the SMS message together with the phone number of the sender and recipient and send it to an e-mail: incident@nbu.gov.sk. Please, follow this procedure also in the case of text services such as Whatsapp and Facebook Messenger.

« Späť na zoznam