• English

Latest update: 19.10.2023 | by Lili & Felix 

 

Time to smash smishing: how to detect fake SMS

 

Table of contents

 

“Good news your package is arrive click here to chose delvery www.promisewewontstealyourdata.forreal”

 

Ever received a text message that let you know about the imminent arrival of a package? Probably tons, especially during corona times when online shopping (and consequently, package deliveries) are rising to unprecedented levels.

 

Receiving packages is usually a positive experience, and notifications about the exact arrival time make life so much easier. That’s exactly why people tend to click on links in text messages to schedule their deliveries. Which is great. Unless the text message is fake and you’ll get a very different type of package. One that is definitely not a positive experience.

 
What is smishing?

Unfortunately, it’s time we learned a new expression: smishing. This word is a mash-up of SMS (text message) and phishing (the act of tricking people into giving cybercriminals their personal data), and its meaning is exactly what it suggests: phishing via text messages.

 

Although the term was coined back in 2006, its rise to fame began only recently. In fact, according to a recent report, 2020 has seen a 328% increase in smishing attacks, resulting in a loss of $54 million from 240.000 victims in the US alone. But smishing is a very global problem: in the EU, 166.000 people were affected with a loss of $26 billion between 2016-19.

 
The most common ruses

Package deliveries are just one of the pretexts scammers use to get to your personal data. Here’s a list of the most common smishing texts:

 

  • Tax problems. Receiving a note from the tax authority is usually stressful for many people, especially if it warns of an overdue payment. Scammers often use threatening language (“if you don’t pay your taxes within 24 hours the police will be notified”) to scare recipients into action.
  • Frozen accounts. Scammers will “notify” you about an online account being compromised. Whether your social media, email, bank, or any other important account, the tactic is the same as above: to get you to panic and click on the link. And ironically, really compromise your account.
  • Receiving money or a gift. Maybe a refund of a previous overpayment, or winning a daily prize from a trusted vendor (e.g. Amazon), or anything similar is supposed to get you to click on the link.
  • Emergency help. In the smishing version of the grandparent scam, senders want to scare recipients with misinformation about a loved one’s serious emergency to act rashly and give up their personal data. 
  • Fake two-factor identification. SMS-based two-factor identification can be compromised, which means that instead of giving your password to a trusted site, you give it to fraudsters on a fake website designed to trick you.
  • Whatsapp, Messenger and Signal messages. Unfortunately, even these applications can be hacked and used by fraudsters to steal your data.

 

Illustration of smishing texts from scammers using the brand names of UniCredit bank, Amazon, and Apple

Illustration of smishing texts from scammers using the brand names of UniCredit bank, Amazon, and Apple
 

Luckily, receiving a malicious text message doesn’t automatically download malware to your phone: you actually have to click on the link provided to become a victim of smishing. Which means that people have to be urgently educated about potential red flags in these scam messages.

 

Especially since less than 35% of cellphone users are even aware they exist. Unfortunately, people still largely associate malware and phishing scams with their laptops and desktop computers which greatly contributes to the “success” of smishing scammers.

 

 

AI in phishing scams

In an era where AI can create a song in the voice of well-known singers, it shouldn’t surprise us that fraudsters rely on this technology to improve the classic grandparent scam. In fact, an alarming trend is emerging in Germany where scammers use AI to mimic the voice of a person and pretend that they need urgent help from a parent or grandparent


No matter how tech-savvy you are, hearing the voice of a loved one in trouble can trigger a panic that overrides all cautious thinking.

 


"Phishing is an old phenomenon that often pairs with social engineering in order to provide consumers the wrong impression of urgency or importance. Smishing adds a new layer to this as people still tend to identify their laptops as the only source for malware and phishing attacks. However, our mobile phones get a bigger and bigger role in our lifes, doing in-app purchases, social shopping or with mobile-optimized stores. Fraudulent actors have identified this increase in importance and adjusted their targeting strategies. In combination with the data leaks, fraudsters can personally target you giving the wrong impression of safety - and they will still get better with personalized beginnings, no more typos and many more enhancements. It’s not enough to ignore these texts; all recipients should report them to enhance the consumer protection on the other side."

 


How to detect smishing

The example we gave on the very top is a dead giveaway. Bad grammar, typos, and a highly suspicious link should definitely alert the recipient that something is not right. Unfortunately, just like counterfeiters, the majority of smishing scammers are a bit more sophisticated than that.

 
Think before you act

Are you expecting a package? Do you even have a TikTok/Snapchat/HSBC account? When was the last time you spoke to your friend who’s now apparently in dire need? Did you even enter the contest you seem to have won?

 

Whenever you receive a text message from an unknown source, take a moment and think about the information given. Could what they say be true? If so, can you verify it before or even better, without clicking on the link?

 
Verification, verification, verification

It’s quite possible you’ve recently ordered a package, and why wouldn’t you have a Facebook account? Luckily, in most of these cases, the text message containing the potentially fraudulent link is nowhere near the only way to reach the person or company posing as the sender.

 

Check out your real Facebook/bank/whatever account. Is it working? Load the website of the package sender and manually enter your tracking code you received when the shipment was originally sent. Call your friend, and/or a common acquaintance and ask them if they’re really in trouble.

 

Bear in mind that most financial companies, as well as the tax authorities of many countries never send text messages asking for personal details. If in doubt, call the company and ask them if they’ve really sent you a notification. But don’t call the number given in the text message: check online and call the contact number given on the website of the “sender.”

 

 

Image of a smishing text in German sent via SMS in the name of Deutsche Post. Translation: “Hello, your package is still pending. Confirm your details here:http.//diginix.org/pkg/?kdrpmycrc301 Deutsche Post”

Image of a smishing text in German sent via SMS in the name of Deutsche Post. Translation: “Hello, your package is still pending. Confirm your details here:http.//diginix.org/pkg/?kdrpmycrc301 Deutsche Post”
 

As members of the public, online brand protection experts are not immune to receiving smishing texts. The above illustration contains a real message our colleague Felix got a few months back. Here’s what he has to say about the incident:

 

 
"I was expecting several packages so my initial reaction to getting a text from Deutsche Post was joy. But when I looked more closely at the link I got suspicious and had a closer look at the URL so that I realized that something was off. Instead of clicking on it, I went to Deutsche Posts’ website and pulled up my tracking information there. It’s sad that even a big household brand name like Deutsche Post is used for smishing scams."

 


Do a little online search on the phone number of the sender. Some numbers used for smishing have already been reported and published online.

 

If none of the above methods work, check out Scamadviser’s scam database. Manually copy the link into their search bar to discover if this link has ever been reported in connection with a scam.

 
What to do if you’ve already clicked on the link

If you happened to click on the link, don’t despair, all is not lost. You probably don't notice anything different, but if the link contained malware your phone may have become infected.

 

First of all, don’t panic. Put your phone in flight mode to stop any external influence and run a malware search. It may be even better to let an IT expert take a look at your phone as some malware could hide from untrained eyes.

 

If you want to make sure you’ve gotten rid of any malware, back up your important files and put your phone back to factory settings. Make sure not to automatically backup and reload everything, because that way you could simply reload the malware too.

 

Change your login credentials and passwords that may have been compromised. And don’t forget to report the incident.

 
Tips for brands

Although the main targets of smishing are mostly individuals, brands can’t ignore this threat. After all, what if the scammers use your brand’s name to launch their attack? The names of delivery companies, banks, government authorities, and many other brands have been used by smishing scammers to dupe people into giving up their personal data.

 

It’s definitely not your fault if random scammers decide to use your brand’s name in their smishing campaign. But it’s not true that you can’t do anything about it. In fact, you can do quite a lot.

 
App monitoring for protection

When clicking on the link included in a smishing text message, users sometimes land in an app store where a malicious app starts downloading itself on their phone. If the text message refers to a specific brand, it’s highly likely that the app will contain a reference as well. And this is where online brand protection can help put a stop to the scam.

 

globaleyez’s app monitoring service covers over 30 app stores, both major and minor from all over the world. Our online brand protection experts use state-of-the-art software tools to crawl the app stores, looking for keywords like your brand’s name in app names and descriptions.

 

Our service is geared towards detecting IP infringements, i.e. apps that use a brand’s name without permission. These apps usually make money by capitalizing on the brand’s name without authorization. After all, “Ferrari racing game” sounds so much more marketable than a simple “racing game.”

 

But since malicious apps also tend to use a brand’s name to gain more credibility and convince users to download it, our app monitoring service can actively contribute to detecting smishing scammers and protect unsuspecting smartphone users from downloading harmful content.

 

Once detected, our enforcement service ensures that infringing and harmful apps are quickly removed from the app stores.

 
Conclusion

Scams like smishing and phishing have unfortunately become part of our lives. Brands and consumers alike have to educate themselves to recognize these scams and protect themselves against it.

 

Although smishing mostly targets consumers, brands can’t ignore this threat without significant damage to their image and reputation. Protect your brand name and your customers from smishing apps, and enroll in globaleyez’s continuous app monitoring program.

 

Reach out to us for more details about our app monitoring and other services and how we can help you protect your brand.