What is smishing and how to protect yourself

Won an iPhone and should you visit that site they texted you without ever entering a contest? Hm, maybe not. It's SMShing!

Let's start 2021 with some information of vital importance for the security of your website, of the information of your devices and, before that, yours smartphone. Hundreds, if not thousands, of sensitive information passes through this small tool every day, which may be at risk of attack or intrusion by certain digital criminals.

How many times have you received a SMS of dubious origin, or with a sender that appears to be trusted, asking you to do something like:

• Click on a link;
• Enter a password out of the blue;
• Provide personal or financial information;
• Other out-of-the-ordinary communications that you would normally never receive via SMS;
• Approvals of payments you never made;

These are circumstances which, unfortunately, occur more and more frequently, and make us wonder how much of the vaunted security of smartphones is really real. The moment you reply to one of these text messages, you are practically giving your house keys with a tag including your address to a complete stranger. Basically, you can only wait for them to rob you.

This sneaky and increasingly widespread phenomenon is smishing (if you can pronounce it you win a prize), or the union of SMS and phishing. The classic telematic scam. The phishing digital criminal sends scam emails where they try to direct you to an attachment so full of malware or unofficial sites that they are ready to suck up all the data you intend to give them, believing you are giving it to a legitimate site wedding ring. The basis of phishing is deception: people believe they are dealing with a real project, or perhaps with a service they usually use (their bank, post office, other) – but instead they are faced with a malicious copy of the original who knows full well that he has bad intentions.

SMSshing is no different: instead of email, you receive an SMS. You will think that it is an almost prehistoric tool, the short message service. Instead, it often happens that authentication or access to your Home Banking passes right there, with a code to be entered when the request appears on the terminal.

What happens if the SMS still arrives, but you are absolutely not accessing your home banking service? Well, you're probably a victim of SMS phising.

The criminal mastermind behind smshing

Sending and receiving SMS is a rather disused activity, and perhaps for this reason taken a little lightly by regular and traditional users. Most people have a general smattering of how to handle e-mail, a much more "dangerous" tool, and have been indoctrinated by their digital native children (or perhaps simply informed themselves) to obtain an acceptable degree of security when manipulating their emails. They know that if “Poste Italiane” isn't spelled a certain way in the address bar, it's probably an email from SCAM. Even more suspicious are emails that contain things like "HEY, check out this awesome link, you'll never believe your eyes!" But what scares the hell out of it – because it's part of an ancient heritage now half-forgotten – is SMS.

The use of the smartphone makes us unfairly less wary. We live in the pious belief that smartphones are safer than laptops, but the security of the former has some limitations that must be taken into consideration when choosing to make conscious use of your tools. We're talking, of course, about smshing.

According to some British and American research, more and more digital criminals are dedicating themselves to smartphone scams, where the average user is much more vulnerable.

What does a smshing person want? In short, whoever carries out this convict practice wants obtain people's personal data to review them, or embezzle your money on cards. On the one hand, smshing convinces you to download malware, i.e. bad software, which then automatically installs itself on the phone and becomes very difficult to remove. These little programs, usually well hidden behind innocent and seemingly harmless names, induce you to type the your usual passwords. Only this time someone is watching you do it.

Sometimes, smshings come to your phone and invite you to visit a link. These are bogus sites, perhaps credible reconstructions of sites you know well, where you are asked to enter important personal information which will then be stolen from you.

How do you protect yourself from smshing?

Knowledge is the first weapon to protect yourself from this scam tool. And, think about it, the wisest thing to do when you're receiving an SMS that you don't like at all… is do nothing at all. These scams only work if the user is naive enough to fall for it and interact with the links or tools provided to "get profit".

You won an iPhone and you should visit that site they texted you without ever entering a contest? Mh, perhaps no. Maybe they want to buy their own iPhone, and with your money.

Remember that no financial institution or merchant will ever text you where you are prompted to update your account information. If you receive a message that appears to come from a reliable source, never use the link in front of you. If in doubt, call the counter as soon as it opens. Don't touch anything, don't click on phone numbers, and don't send messages to suspicious numbers that don't look real.

Avoid keeping data of your bank account or credit card on your smartphone. This way, even if you contract some nasty malware, your data will be safe.