Main menu

Pages

Smishing "SMS Phishing" and Phishing: Definition and Explanation with Examples

Smishing

Smishing is a phishing scam that abuses SMS (Short Message Service) on smartphones and other devices.  A coined word that combines “SMS” and “phishing” to direct recipients to fake sites such as well-known companies and launch attacks such as stealing passwords used on real sites.





How Smishing works


Smishing is a type of fraud that takes place over the Internet, sending fake messages (typically e-mails) disguised as operators of membership-based internet services to targeted fake sites that look exactly like the real thing. It is a method of guiding and stealing important information such as IDs, passwords, and credit card numbers.

Methodology


Smishing is a method of sending fake messages of such phishing scams by SMS on mobile phones.  Since the destination is specified only by the telephone number, it is possible to target a person whose information such as an e-mail address cannot be obtained in advance by sending the information to a large number of randomly generated numbers all at once.

Target companies

Many companies that provide services such as notifications and procedures for smartphones are subject to spoofing, such as financial institutions (online banking, etc.), major mail-order sites, telecommunications carriers (carrierm payment, etc.), and home delivery companies. Cases pretending to be (such as out-of-office notifications) are well known.

Post targeting


When services related to money or payment are targeted, the victim can be impersonated to steal deposits or high-priced products by having them enter all the contents of the credit card verification code and the code table used for two-step verification of online banking. There have also been reports of malicious cases of making payments.

Detecting genuine and fake SMS


In SMS, it is difficult to distinguish between genuine and fake, as the sender is also displayed with a phone number or a character string with the name of the other party. The website is also displayed on a narrow screen on a smartphone and with limited information, so the amateur can see the authenticity.  Self-defense measures such as searching for and accessing the business site by Web search without opening the URL sent from the other party are required.


Comments

table of contents title