Text messaging is a convenient and effective form of communication, but it also presents opportunities for cybercriminals to exploit unsuspecting users. Many threats are growing in texts, from smishing and spoofing to malware links and OTP theft. However, by being vigilant and adopting good security practices, you can protect yourself from being victimized by these attacks.
Smishing is one of the most common and dangerous forms of text messaging attacks, with the 2020 Internet Crime Complaint Center (IC3) stating they have reported over 240,000 victims of phishing, smishing, vishing, and pharming, costing over $54 million in losses.
Like email phishing, smishing involves cybercriminals sending fraudulent messages to trick victims into providing personal information such as usernames, passwords, or financial details. However, instead of using email, these attacks occur via text messages.
Attackers usually disguise themselves as trusted entities, such as banks, delivery services, or government agencies. The message will urge you to click on a link to verify your account information. These links often lead to phishing websites that look identical to legitimate sites, designed to steal your data.
An example of smishing would be a text message claiming to be from your bank, reading:
“Your account has been temporarily locked due to suspicious activity. Click here to unlock: [fraudulent link].”
Once clicked, the link takes you to a fake website, prompting you to enter sensitive information like your account number or password.
In a spoofing attack, the hacker disguises their phone number or identity to make the message appear as though it is coming from a trusted source, such as a contact or a known service provider. Spoofing is often used alongside other attacks, like smishing, to increase the chances of success.
Spoofing relies on deception. Using specialized software, attackers alter the caller ID or the sender’s number to make it appear as if the message is from a legitimate source. The victim receives a message from what looks like a trusted sender and is more likely to click on links or respond with sensitive information.
Imagine receiving a text message from a number that looks like your workplace or service provider:
“Hey, this is IT. We noticed an unusual login attempt on your account. Please verify your credentials here: [fake link].”
Since the message appears legitimate, you're more likely to comply without suspecting malicious intent.
Cybercriminals often use text messages to send malicious links that install malware on the victim’s device. Malware can steal personal data, track your activity, or even lock you out of your phone in the case of ransomware.
A typical malware attack starts with an innocent-looking message containing a link or an attachment. Once the victim clicks the link or downloads the attachment, malware is installed on their device. Depending on the type of malware, it could monitor your activity, steal login credentials, or hold your data ransom until a payment is made.
A message might say:
“Congratulations, you’ve won a free iPhone! Click here to claim your prize: [malicious link].”
The link redirects you to a website where malware is automatically downloaded and installed onto your device without your knowledge.
One-time passwords (OTPs) or two-factor authentication (2FA) codes are temporary codes sent via text to verify identity during login or transaction processes. OTP theft occurs when an attacker tricks you into revealing your code, allowing them to bypass your account security.
In an OTP theft attack, cybercriminals often impersonate legitimate entities and request your OTP under false pretenses. Once they have the code, they can access your account, even if it’s protected by two-factor authentication.
A hacker could send a message posing as your bank:
“Your account security is being updated. Please reply with the OTP you just received to verify your identity.”
If you provide the OTP, the hacker can access your account.
In the news: Phishing kit that bypasses MFA targets Gmail and Microsoft 365
Social engineering attacks are based on manipulating human emotions and behavior to extract confidential information. Through cleverly crafted messages, attackers exploit trust and fear to convince victims to share sensitive data or take harmful actions.
Cybercriminals may pose as trusted individuals, like colleagues, friends, or service providers. By playing on emotions such as fear or urgency, they manipulate victims into revealing confidential information or completing tasks that compromise security.
A message might say:
“Hey, this is your boss. I’m locked out of my account, and I need your help. Can you send me your login details so I can access the system?”
The urgency and familiarity of the message can make it seem legitimate, leading to the victim unknowingly providing sensitive information.
SIM swapping is a type of attack where the hacker convinces your mobile carrier to transfer your phone number to a new SIM card controlled by them. Once they control your phone number, they can intercept your text messages and calls, including two-factor authentication codes.
Attackers often impersonate you and contact your mobile provider, claiming that you need to change your SIM card due to a lost or stolen phone. Once your number is transferred to their SIM card, they can receive your messages, including verification codes, and gain access to your accounts.
After successfully conducting a SIM swap, a hacker can log into your email or bank account by resetting the password and receiving the 2FA code sent via text message.
SMS bombing is an attack that involves overwhelming a victim’s phone with a large number of unwanted messages. While this type of attack doesn't usually result in data theft, it can cause significant inconvenience and even make the victim's phone unusable.
See also: What is email bombing?
Attackers use automated systems to send hundreds or thousands of SMS messages to a victim’s phone in a short period. This can result in phone service disruption, making it difficult for the victim to use their device for legitimate purposes.
Imagine receiving hundreds of messages within minutes, rendering your phone virtually useless as you try to clear the notifications.
In this type of scam, attackers trick victims into sending messages to premium-rate numbers, resulting in unexpected charges on their phone bills. These numbers charge exorbitant fees for each message sent, and the attackers profit from the charges.
Cybercriminals often disguise premium-rate numbers as legitimate services or contests. Victims are encouraged to send a text message to participate, without realizing the cost associated with the message.
You might receive a message stating:
“Text ‘WIN’ to 55555 for a chance to win $1,000!”
By texting the number, you unknowingly incur significant charges.
A Federal Trade Commission data report shows that consumers reported losing more than $5.8 billion to fraud in 2021, an increase of more than 70 percent over the previous year. With 81% of Americans texting regularly, it is important to know how they can protect themselves against text-based cyber attacks. Here are some general tips to stay safe:
See also: The guide to HIPAA compliant text messaging
You can report suspicious text messages to your mobile carrier. Many carriers have specific reporting mechanisms for spam or fraudulent messages. Additionally, you can report them to local authorities or consumer protection agencies.
Two-factor authentication adds an extra layer of security by requiring a second form of verification (like a text message code) in addition to your password. However, relying on SMS for 2FA can be risky if attackers can intercept those messages. Using app-based authentication methods is generally more secure.