The Federal Communications Commission (FCC) recently put out a note to warn people about a rise in SMS phishing attacks, sharing that text scams rose a staggering 168 percent between 2019-2021, with over 8,500 complaints just this year alone. “Cybercriminals are increasingly using text messages as a method to bypass the security controls typically implemented in email and other communication systems,” Josh Yavor, Chief Information Security Officer at Tessian, told Lifewire. “We are seeing new waves of socially engineered attacks where attackers are impersonating different kinds of SMS messages to dupe consumers into giving up sensitive and personal information.”
Weaponizing SMS
Phishing attacks perpetrated via fraudulent SMS messages are generally known as smishing, or as the FCC refers to them in its note: robotexts. According to the commission, complaints about such unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, and 15,300 in 2021, to 8,500 through June 30, 2022. It also suggested this figure could just be the tip of the iceberg, pointing to a Robokiller report that estimated Americans received over 12 billion robotext messages in July 2022, at an average of about 44 spam texts for every citizen. The FCC also shared some of the common lures that scammers behind these smishing campaigns use to trick people into handing over confidential information. “Like robocallers, a robotexter may use fear and anxiety to get you to interact,” noted the FCC. “Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems, or law enforcement actions against you.” Moreover, in their bid to engage with you, the scammers might also use the fraudulent SMS messages to provide confusing information, as if they were texting someone else, in order to get you to respond, one way or the other. Building on the FCC’s note, Yavor points out that SMS is “inherently more dangerous” than email as a phishing medium since it’s significantly more difficult to fight fraudulent messages over text than email. “Unfortunately, the world of security for SMS lags behind email as the core protections we have in email just don’t exist with texts,” said Yavor. “With SMS, it’s more difficult to train people to identify fraudulent senders, and people lack the support mechanisms they are used to when using email.” In Yavor’s experience, people have a better chance of identifying a fake email address, while it’s more difficult with SMS, thanks to the prevalence of number spoofing.
SMS is More Dangerous
Yavor pointed to a Tessian survey, which found that over half of the respondents had received a scam text message in the past year. Moreover, one-third of them fell for the scam, a number that’s higher than those who interacted with a phishing email. People usually don’t expect to be scammed via their texts, which is why SMS has become a really effective attack vector, noted Jeff Hancock, Harry and Norman Chandler Professor of Communication at Stanford University, in Tessian’s survey. The trust with SMS, he argued, stemmed from the fact that until recently, very few people outside our network would be able to reach us via SMS. “As we shop online and are prompted to share our mobile number, we now receive text messages from contacts we don’t know—some messages are legitimate, and others aren’t,” said Hancock. If you’ve received a suspicious text or an unusual request from someone you otherwise trust, Yavor suggests the best guidance is the same as in email—instead of engaging straightaway, take a moment to reach out to the sender via another means to verify the authenticity of the SMS. “It’s imperative to always establish trust outside the SMS conversation and remember that legitimate organizations [like your bank] would never give an ultimatum (like call back in 12 hours or else) or ask for financial details or passwords over text,” said Yavor. “Finally, people can report spam and fraudulent texts to their carrier by forwarding the messages to 7726.”