Tuesday, April 21, 2009

The mobile high-tech threat: Smishing

What's the best way to disguise a phishing attempt so no one can tell where a request for personal information or a password really came from? Easy: Send it via text message.

"Smishing" is the name being given to the not-entirely-new but growing practice of sending phishing come-ons and scams via SMS message. And spammers are apparently finding it an increasingly easier proposition to text a phishing message to you rather than to email it traditionally.

Why's that? You've probably received hundreds or thousands of phishing emails and immediately saw through the ruse: Images were broken, the "from" address was wrong, words were misspelled, or links in the message were obviously directing you to phony websites. There are dozens of things that phishers have to get right for an email scam to fool anyone, and that's apparently quite difficult to do. Making things even tougher, many of those emails are now blocked by ISPs and spam filters and never make it to their intended targets.

Those problems don't really exist at the SMS level: Very few SMS messages are blocked, and since they are composed entirely of text, no images required, it's often impossible at a glance to determine if a message is real or fake.

One popular smish threatens the user that he is about to be charged for something unless he cancels it, with a message like: "We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order by clicking here: phonysite.com." Of course there are no pending charges, and the site you're directed to is completely fake, its goal being to collect your credit card number (which you will helpfully enter in order to "cancel" the charges), or install a bit of malware on your computer (or even, someday, on your phone).

Smishing messages may instead direct you to call a toll-free number in order to complete or cancel some financial transaction, the only difference being that a human operator will handily take down your credit card or bank account number for you, to save you the trouble of typing it online. Of course, the number you called is phony, too.

What should you do if you receive a message you fear is a smish attack? The answer should be pretty obvious but bears repeating: Virtually no credible financial institution, utility, or other business will communicate with you via SMS with the exception of your cell phone provider. Don't recognize the website or phone number being sent to you? Don't call it. If you're worried about an upcoming charge, contact the service provider or bank directly via means you know are legitimate and ask them directly about the message. They'll likely tell you what you already know: Just ignore it.

No comments:

Post a Comment