Smishing – the big scam with the fake SMS!

M.Sc. Chris Wojzechowski (IT-Risk Manager, IT-Grundschutz Practitioner (TÜV)

Smishing – the big scam with the fake SMS!

Smishing – a word combination of SMS and fishing that most people know from phishing. The latter represents an attempt to “fish” for passwords. Smishing refers to the channel, namely SMS, as a means to an end. Since SMS is used for only a few purposes now, criminals focus on false package deliveries or notifications regarding an existing two-factor authentication.

More than 100 million false SMS messages in the Telekom network alone. The problem is large and affects many smartphones and users – regardless of the network. Even when network operators issue warnings, reliable mechanisms for early prevention are lacking. In order to reduce the risk of suffering damage, information, education & training in dealing with false SMS are indispensable – in private and business contexts.

Clicking on the link in an SMS can be particularly critical

Can a click on a link already be harmful? The answer to this question must be “yes”. This is just as true for a click in the email as it is for the SMS. The latter, however, is even more critical. This is because instead of receiving information about the alleged package delivery, the program prepares and carries out the sending of another numerous SMS messages to the contacts in the background. This approach works especially well because software on third-party sources are used. Unfortunately or fortunately, this is only a problem of Android-based smartphones.

But even the pleasant notification of a win should make you wonder. Especially if you have neither entered your mobile number nor actually participated in a sweepstakes. The Federal Office for Information Security has long been aware of the problem and regularly provides information about new fraud schemes in this context.

The Federal Office for Information Technology informs about a current smishing campaign. Clicking buy “Install security update” is supposed to lead to the download of insecure files.

The tips and behaviors for dealing with dubious text messages are catchy:

  1. You should not click on any link.
  2. Downloading files from unknown source should be strictly avoided
  3. Delete the SMS

In addition, there are other tips that serve for prevention:

  1. Block the number of the sender
  2. Activate the third-party provider block to prevent unnecessarily high costs

What can I do if I clicked on a link in a smishing SMS?

The right time, the right occasion and the right person – when these aspects come together, criminals are often successful. But it is only statistics – with a number of more than 100 million SMS messages. But what can you do as an affected person after clicking on a malicious link in an SMS? The recommendations from the BSI are good advice and can be summarized as follows:

  • Deactivate the mobile network. Activate flight mode as soon as possible. This prevents the sending of further SMS.
  • Inform your mobile phone provider about the
  • Be extra vigilant with your statements (account/cell phone bill)
  • Making a report and resetting to factory settings are the last indications

Despite precautionary measures by the mobile network provider, such as anomaly and fraud detection, there is (still) no security on this communication channel. At regular intervals, everyone in possession of a mobile phone number should be aware of such and similar scams.

Photo of author

M.Sc. Chris Wojzechowski (IT-Risk Manager, IT-Grundschutz Practitioner (TÜV)

My name is Chris Wojzechowski and I am one of two managing directors of AWARE7 GmbH. Our butter & bread business is performing penetration tests. We are also committed to a broad understanding of IT security in Europe and for this reason we offer the majority of our products free of charge.