Smash
the
Smish
Smash
the
Smish
Smash the
Smish
Introducing the ‘smishing’ attack: a scam that tries to deceive you via SMS or other mobile chat services. Here’s how not to take the bait …
We’re all familiar with email phishing attacks and similar rackets that target you through your computer. But criminals are increasingly targeting your phone with ‘smishing’ attacks — SMS or WhatsApp messages that try to extract money or personal data, or both. Other phone scams involve dodgy QR codes that we scan and click.
Happily, we don’t have to answer the call of the smishers. Read on to jam their scams before it’s too late …
How does
Smishing work?
Smishing — or SMS phishing — happens when hackers use text messages to trick victims into sharing sensitive data — such as your name, address, ID number, membership number or banking login details. Smishers launch their attacks via SMS, WhatsApp or other mobile messaging services. The smishing message will typically ask you to click on a link to a fake login form that looks like a legitimate company or public institution. Other smishing messages will ask you to download an app containing malware.
So what are the red flags?
If the sender is unknown and the message unexpected, it’s probably something ‘smishy’. For example, a message saying you’ve won a lottery is a lie if you didn’t buy a ticket …
Smishing attacks typically demand immediate action from you. Resist the pressure. If you’re being asked to confirm that a bank transaction is legit, then instead of answering the message, look up your bank’s official fraud prevention number and call to ask if a fraud attempt has really taken place.
Hackers often send a fake notification with a link, compare it to the actual URL of the company or institution the message claims to be from. If it differs, it’s a scam.
Smishing messages often include mistakes, or initial caps on words that Shouldn’t Have Them. That said, they sometimes don’t — so it’s not a foolproof test.
A trusted business would never ask you to give sensitive data on an unsecured platform. If they ever wanted you to enter information online, they would ask you to log into their official, secure website or app — the one you usually use.
The 8 steps of Smishing-Smashing
Be suspicious of every message.
Don’t click on in-message links.
Never share sensitive data via text (SMS, WhatsApp or other mobile messaging services).
Verify contacts independently and filter spam messages.
Keep device software up to date.
Review and upgrade your security settings on your phone and chat apps. For example, adding two-factor authentication — e.g. OTP plus password — is always good.
Back up your data on all devices and delete unused apps.
Don’t use free Wi-Fi networks.
Bug Patrol: Treating
Phone Malware Infection
If your phone has any of the following symptoms, it may have been infected with malware by a smishing attack.
- The battery does not last as long as it used to.
- You get random pop-ups.
- The performance of the device drops.
- You find apps on the device that you didn’t install.
If you have these issues, then reset your device (to its factory settings) and install antivirus software, before reinstalling all your apps.
Scan or scam?
How to stop QR-code fraud
QR codes are images that direct your phone browser to a website. They are often displayed at events to link to ticketing forms, and on packaging to link to product websites.
They’re a useful technology, but scammers increasingly use dodgy QR scanning apps and/or fake QR codes to steal your information or money.
To avoid being a victim of this, ask yourself four questions:
1. Am I using the right scanner?
Always use the built-in QR code scanner in your device’s camera app. If your device doesn’t have one, only
download a trusted (well-reviewed) scanning app from the device’s official app store.
2. Does the code look legit?
Check for physical tampering, such as a code sticker pasted over the authentic printed code. If possible, ask a nearby staffer whether the displayed code is approved.
3. Does the link look legit?
Check the link displayed on your scanning app before you click. A dodgy link might have misspelt or shortened URLs such as ‘Instagram’ or ‘Sapppi’ or ‘Coca-col.com’.
4. Do I risk it?
If you have any doubt about 1, 2 and 3, then No! Never enter sensitive information into a site you were directed to by a QR code, unless you’re certain the site is authentic.
Plan before you scan. Think before you click.
Report incidents to our local IT department or by swiftly emailing our cyber defense team (phishingreport@sappi.com).
