Common text messaging cyberattacks

Text messaging is a convenient and effective form of communication, but it also presents opportunities for cybercriminals to exploit unsuspecting users. Many threats are growing in texts, from smishing and spoofing to malware links and OTP theft. However, by being vigilant and adopting good security practices, you can protect yourself from being victimized by these attacks.

Smishing (SMS Phishing)

What is smishing?

Smishing is one of the most common and dangerous forms of text messaging attacks, with the 2020 Internet Crime Complaint Center (IC3) stating they have reported over 240,000 victims of phishing, smishing, vishing, and pharming, costing over $54 million in losses. 

Like email phishing, smishing involves cybercriminals sending fraudulent messages to trick victims into providing personal information such as usernames, passwords, or financial details. However, instead of using email, these attacks occur via text messages.

How does smishing work?

Attackers usually disguise themselves as trusted entities, such as banks, delivery services, or government agencies. The message will urge you to click on a link to verify your account information. These links often lead to phishing websites that look identical to legitimate sites, designed to steal your data.

Real-world example

An example of smishing would be a text message claiming to be from your bank, reading:

“Your account has been temporarily locked due to suspicious activity. Click here to unlock: [fraudulent link].”

Once clicked, the link takes you to a fake website, prompting you to enter sensitive information like your account number or password.

How to protect yourself from smishing

• Verify before you click: Always verify the authenticity of a message by contacting the sender through official channels.
• Avoid sharing personal information: Be cautious about sharing sensitive data via SMS, especially if prompted by unsolicited messages.
• Install anti-phishing software: Use anti-phishing tools that block fraudulent links and websites.

Spoofing

What is spoofing?

In a spoofing attack, the hacker disguises their phone number or identity to make the message appear as though it is coming from a trusted source, such as a contact or a known service provider. Spoofing is often used alongside other attacks, like smishing, to increase the chances of success.

How does spoofing work?

Spoofing relies on deception. Using specialized software, attackers alter the caller ID or the sender’s number to make it appear as if the message is from a legitimate source. The victim receives a message from what looks like a trusted sender and is more likely to click on links or respond with sensitive information.

Real-world example

Imagine receiving a text message from a number that looks like your workplace or service provider:

“Hey, this is IT. We noticed an unusual login attempt on your account. Please verify your credentials here: [fake link].”

Since the message appears legitimate, you're more likely to comply without suspecting malicious intent.

How to protect yourself from spoofing

• Verify identity through other channels: If you receive a suspicious message, contact the sender directly using their official phone number or email.
• Use spam filters: Many smartphones and messaging apps include spam filters that help detect and block spoofed messages.

Malware links

What are malware links?

Cybercriminals often use text messages to send malicious links that install malware on the victim’s device. Malware can steal personal data, track your activity, or even lock you out of your phone in the case of ransomware.

How does malware work?

A typical malware attack starts with an innocent-looking message containing a link or an attachment. Once the victim clicks the link or downloads the attachment, malware is installed on their device. Depending on the type of malware, it could monitor your activity, steal login credentials, or hold your data ransom until a payment is made.

Real-world example

A message might say:

“Congratulations, you’ve won a free iPhone! Click here to claim your prize: [malicious link].”

The link redirects you to a website where malware is automatically downloaded and installed onto your device without your knowledge.

How to protect yourself from malware links

• Never click unknown links: Avoid clicking on links from unknown or untrusted sources, especially if the message is unsolicited.
• Update your device: Keep your smartphone and messaging apps up to date, as many updates include security patches.
• Install security software: Use antivirus software designed for mobile devices to detect and prevent malware infections.

OTP theft

What is OTP theft?

One-time passwords (OTPs) or two-factor authentication (2FA) codes are temporary codes sent via text to verify identity during login or transaction processes. OTP theft occurs when an attacker tricks you into revealing your code, allowing them to bypass your account security.

How does OTP theft work?

In an OTP theft attack, cybercriminals often impersonate legitimate entities and request your OTP under false pretenses. Once they have the code, they can access your account, even if it’s protected by two-factor authentication.

Real-world example

A hacker could send a message posing as your bank:

“Your account security is being updated. Please reply with the OTP you just received to verify your identity.”

If you provide the OTP, the hacker can access your account.

How to protect yourself from OTP theft

• Never share OTPs: No legitimate company or service will ever ask you to share your OTP.
• Use app-based 2FA: Instead of relying on SMS for two-factor authentication, consider using an app like Google Authenticator or Authy, which is more secure.
• Enable account notifications: Set up alerts to notify you of any suspicious account activity.

In the news: Phishing kit that bypasses MFA targets Gmail and Microsoft 365

Social engineering attacks

What is social engineering?

Social engineering attacks are based on manipulating human emotions and behavior to extract confidential information. Through cleverly crafted messages, attackers exploit trust and fear to convince victims to share sensitive data or take harmful actions.

How does social engineering work?

Cybercriminals may pose as trusted individuals, like colleagues, friends, or service providers. By playing on emotions such as fear or urgency, they manipulate victims into revealing confidential information or completing tasks that compromise security.

Real-world example

A message might say:

“Hey, this is your boss. I’m locked out of my account, and I need your help. Can you send me your login details so I can access the system?”

The urgency and familiarity of the message can make it seem legitimate, leading to the victim unknowingly providing sensitive information.

How to protect yourself from social engineering

• Be skeptical of urgent requests: Attackers often create a sense of urgency to prompt quick action without thinking.
• Verify through other means: Always confirm any unusual request by contacting the individual or organization through official channels.
• Educate yourself: Stay informed about common social engineering tactics and how to recognize them.

SIM swapping

What is SIM swapping?

SIM swapping is a type of attack where the hacker convinces your mobile carrier to transfer your phone number to a new SIM card controlled by them. Once they control your phone number, they can intercept your text messages and calls, including two-factor authentication codes.

How does SIM swapping work?

Attackers often impersonate you and contact your mobile provider, claiming that you need to change your SIM card due to a lost or stolen phone. Once your number is transferred to their SIM card, they can receive your messages, including verification codes, and gain access to your accounts.

Real-world example

After successfully conducting a SIM swap, a hacker can log into your email or bank account by resetting the password and receiving the 2FA code sent via text message.

How to protect yourself from SIM swapping

• Set up a PIN with your mobile carrier: Many carriers allow you to set up a PIN that must be provided before any changes can be made to your account.
• Monitor account activity: Keep an eye on unusual login attempts or notifications of password changes.
• Use app-based 2FA: Reduce reliance on SMS-based two-factor authentication by using authentication apps.

SMS bombing

What is SMS bombing?

SMS bombing is an attack that involves overwhelming a victim’s phone with a large number of unwanted messages. While this type of attack doesn't usually result in data theft, it can cause significant inconvenience and even make the victim's phone unusable.

See also: What is email bombing?

How does SMS bombing work?

Attackers use automated systems to send hundreds or thousands of SMS messages to a victim’s phone in a short period. This can result in phone service disruption, making it difficult for the victim to use their device for legitimate purposes.

Real-world example

Imagine receiving hundreds of messages within minutes, rendering your phone virtually useless as you try to clear the notifications.

How to protect yourself from SMS bombing

• Use spam filters: Enable spam filtering features on your phone to block excessive messages.
• Report the attack: Contact your mobile provider to report the attack and block the sender.
• Change your phone number if necessary: In severe cases, changing your phone number might be the most effective solution.

Premium rate SMS scams

What are premium rate SMS scams?

In this type of scam, attackers trick victims into sending messages to premium-rate numbers, resulting in unexpected charges on their phone bills. These numbers charge exorbitant fees for each message sent, and the attackers profit from the charges.

How does the scam work?

Cybercriminals often disguise premium-rate numbers as legitimate services or contests. Victims are encouraged to send a text message to participate, without realizing the cost associated with the message.

Real-world example

You might receive a message stating:

“Text ‘WIN’ to 55555 for a chance to win $1,000!”

By texting the number, you unknowingly incur significant charges.

How to protect yourself from premium rate SMS scams

• Avoid texting unknown numbers: Be cautious when responding to unsolicited messages, especially if they involve premium-rate numbers.
• Review your phone bill: Regularly check your phone bill for any unusual charges.
• Block premium-rate services: Some mobile providers allow you to block premium-rate messaging services altogether.

Keeping safe

A Federal Trade Commission data report shows that consumers reported losing more than $5.8 billion to fraud in 2021, an increase of more than 70 percent over the previous year. With 81% of Americans texting regularly, it is important to know how they can protect themselves against text-based cyber attacks. Here are some general tips to stay safe:

• Be skeptical of unsolicited messages: Always question messages from unknown senders, especially those requesting personal information or immediate action.
• Verify through trusted channels: If you receive a suspicious message from what appears to be a trusted source, verify its authenticity by contacting the organization or individual directly.
• Use security tools: Install security software, spam filters, and use app-based two-factor authentication to add layers of protection.

See also: The guide to HIPAA compliant text messaging

FAQs

What should I do if I receive a suspicious text message?

• Do not click any links or provide any personal information.
• Report the message to your mobile provider or use spam reporting features on your phone.
• If it appears to be from a legitimate source, contact them directly using an official phone number to verify the message.

How can I report text message cyberattacks?

You can report suspicious text messages to your mobile carrier. Many carriers have specific reporting mechanisms for spam or fraudulent messages. Additionally, you can report them to local authorities or consumer protection agencies.

What is the role of two-factor authentication (2FA) in protecting against text message attacks?

Two-factor authentication adds an extra layer of security by requiring a second form of verification (like a text message code) in addition to your password. However, relying on SMS for 2FA can be risky if attackers can intercept those messages. Using app-based authentication methods is generally more secure.