Social Engineering: What Is Smishing & How to Prevent It?

Social engineering is one of the oldest types of fraud in existence. In an information security context, it refers to the tactics that criminals use to trick people into handing over sensitive information or exposing their devices to malware.

Criminals have traditionally performed social engineering attacks via phishing emails, but there has recently been a rapid rise in a variant form of attack known as smishing.

These attacks are a specific type of phishing conducted over text message. Fraudsters use many of the same techniques, imitating banks or government departments, for example.

According to a Proofpoint study, 84% of organisations suffered a smishing attack in 2021.

The increase can be credited to the changing way in which people work and interact with technology. No longer limited to office environments and face-to-face meetings, many employees communicate on mobile apps and instant message clients.

It’s also become more common for organisations to contact people by text, creating additional avenues through which criminals can target people.

They’re aided by the lack of information needed to make an SMS message look genuine – as you can see in these real-life examples.

Real-life examples of smishing

1) Online bank fraud

This message appears to be from HSBC, and claims that fraudulent activity has been detected on the victim’s account.

The text is written in an authentic style but is let down by a suspicious web domain that doesn’t include ‘HSBC’.

2) You’ve won an iPhone

For many, the iPhone and iPad are synonymous with luxury, so it’s no surprise that fraudsters dangle it as bait.

Such messages are among the most common pretexts in smishing scams, and can be found in practically every service that offers instant messaging capabilities.

In this example, the sender claims that the recipient is one of 100 people who is in with a chance to win an Apple iPad Pro, Magic Keyboard and a 12-month subscription to Apple TV.

3) Prize winner

Both smishing and phishing are heavily populated by scams claiming that the recipient has won a prize. In the example below, the message states that the recipient has won second prize in a lottery.

This scam exploits two common tactics in smishing emails. First, it generates excitement at the prospect of having won something.

In this case, it claims that it was ‘second prize’, which may well temper people’s expectations and make the message feel more believable. It’s not necessarily some huge luxury item such as an iPhone – which may arouse suspicion – but instead something presumably less valuable but still impressive.

That brings us to the second tactic used in this scam – namely, it piques the recipients’ interest by not stating what the prize is.

Whereas some bogus messages will promise something specific, like an iPhone, this message creates a layer of mystery that encourages the recipient to follow the link.

4) Free gift vouchers

Supermarket voucher scams are particularly popular whenever there are suggestions that people are on tight budgets.

The run-up to and weeks following Christmas are prime examples, and unlike scams that promise expensive gifts, supermarket voucher scams appear to provide a way to help people afford necessities.

In this message, the scammer claims that Aldi is giving away £150 in vouchers to celebrate its anniversary.

There are scams imitating almost every UK supermarket, but this one is especially deceptive given its authentic-looking URL. If you look carefully, you’ll see the ‘D’ in Aldi has been replaced by a near-identical letter used in the Arabic alphabet; the only difference is the small dot (a diacritic).

5) Tax rebate from HMRC

In this scam, the victim receives a message supposedly from the government saying that they are entitled to a tax rebate.

This scam works for two reasons. First, recipients may not view the unsolicited message with suspicion, because tax rebates are somewhat common and most people won’t be sure if they are expecting a rebate.

Second, the message accurately mimics a genuine correspondence. The URL, although fake, contains the words “hmrc” and “gov”, which you’d expect to see in a legitimate correspondence.

However, eagle-eyed recipients will notice that, whereas UK government websites use “.gov” as the top-level domain, this link uses “.com” and includes “gov” in the local part of the domain.

How to protect yourself from smishing

The most decisive way to protect yourself from scams is to never provide personal details in response to an unsolicited message.

Scammers’ objective is to capture these details, so if you simply ignore their requests, you can be assured of your safety.

However, many people are hesitant to do this because it leaves the possibility that they’ve ignored a genuine message. If it’s, say, a tax rebate or an online banking fraud warning, inaction could feasibly have significant negative consequences.

Although we understand this, it’s unlikely that you would only be alerted by text message in these scenarios. You would typically also get a letter from the government or a phone call from your bank.

If you’re ever uncertain whether a message is genuine, you can find an alternative way of contacting the sender. This might be by visiting your bank in-branch, logging into an online portal or finding a phone number on their website.

Additionally, everyone should be able to spot the signs of a suspicious email to protect themselves from scams. You can find out how by enrolling in our Phishing Staff Awareness E-Learning Course.

This online training courses uses examples such as the ones listed in this blog to help you identify the signs of scams.

It covers everything from phony text messages and emails to telephone con artists to ensure that you and your team is equipped to spot fraudulent messages before it’s too late.