dinsdag 28 april 2009

What is Smishing?

You have probably heard about spamming, scamming, phising...but now there is a new threat: SMISHING.

This is what Wikipedia writes :"In computing, Smishing is a form of criminal activity using social engineering techniques similar to phishing. The name is derived from "SMs phISHING". SMS (Short Message Service) is the technology used for text messages on cell phones."

Similar to phishing, smishing uses cell phone text messages to deliver the "bait" to get you to divulge your personal information. The "hook" (the method used to actually "capture" your information) in the text message may be a web site URL, however it has become more common to see a phone number that connects to automated voice response system.


"Smishing" is the name for a new kind of phising, that is not completely new and still on the rise: It is the practice of sending phishing come-ons and scams via SMS message. And spammers are apparently finding it an increasingly easier proposition to text a phishing message to you rather than to email it traditionally.

Why? Because what is the best way to disguise a phishing attempt so no one can tell where a request for personal information or a password really came from? Easy: Send it via text message.

Why's that? You've probably received hundreds or thousands of phishing emails and immediately saw all the signs that this was a scam:
- Images were broken,
- the "from" address was wrong,
- words were misspelled,
- links in the message were obviously directing you to phony websites.

There are dozens of things that phishers have to get right for an email scam to fool anyone, and that's apparently quite difficult to do. Making things even tougher, many of those emails are now blocked by ISPs and spam filters and never make it to their intended targets.

Those problems don't really exist at the SMS level: Very few SMS messages are blocked, and since they are composed entirely of text, no images required, it's often impossible at a glance to determine if a message is real or fake.

One popular smish threatens the user that he is about to be charged for something unless he cancels it, with a message like: "We're confirming you've signed up for our dating service. You will be charged €2/day unless you cancel your order by clicking here: phonysite.com." Of course there are no pending charges, and the site you're directed to is completely fake, its goal being to collect your credit card number (which you will helpfully enter in order to "cancel" the charges), or install a bit of malware on your computer (or even, someday, on your phone).

Smishing messages may instead direct you to call a toll-free number in order to complete or cancel some financial transaction, the only difference being that a human operator will handily take down your credit card or bank account number for you, to save you the trouble of typing it online. Of course, the number you called is phony, too.

What should you do if you receive a message you fear is a smish attack? The answer should be pretty obvious but bears repeating: Virtually no credible financial institution, utility, or other business will communicate with you via SMS with the exception of your cell phone provider.

If you don't recognize the website or phone number being sent to you? Don't call it.
If you're worried about an upcoming charge, contact the service provider or bank directly via means you know are legitimate and ask them directly about the message. They'll likely tell you what you already know: Just ignore it.


Source: ZDNET/Yahoo/Wikipedia

Geen opmerkingen:

Een reactie plaatsen