Great blog post by Roger Grimes, KnowBe4 Data-Driven Defense Evangelist
Smishing is phishing via Short Message Service (SMS) on a participating device, usually a cell phone. Long neglected by phishers and spammers, smishing has recently become a very common way of spamming, phishing, and spear phishing potential victims. KnowBe4 has been covering and warning users about it and its coming rise for years.This blog post will cover why smishing is becoming so popular, show some general and more sophisticated examples, and discuss defenses.
What is SMS?
Short Messaging Service (SMS) is a popular text-based messaging service standard, which nearly all cell phones support. Already in widespread use by the 1990s, it is rare that a cell phone doesn’t support SMS, which originally only allowed a maximum of 140- to 160-characters to be sent in a single message to one or more other recipients using their cell phone numbers. The original message size limitation was due SMS’ reliance on an underlying phone protocol known as Signaling System No. 7 (SS7). Today, depending on the mobile network vendor and involved applications, SMS-based apps can send longer messages and more than simple text-based characters (such as emoticons, pictures, videos, etc.).
Why is Smishing Popular?
The biggest problem from a security perspective is that an SMS sender is not authenticated beyond attached phone numbers. Anyone receiving an SMS can only, at best, be assured at the phone number the SMS message comes from is accurate, and even that isn’t guaranteed. There are many rogue applications which allow senders to send SMS messages from spoofed or borrowed/shared telephone numbers.