SMS phishing

From Wikipedia, the free encyclopedia
  (Redirected from SMiShing)
Jump to: navigation, search

In computing, SMS phishing is a form of criminal activity using social engineering techniques. Phishing is the act of attempting to acquire personal information such as passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. SMS (Short Message Service) is the technology used for text messages on cell phones.

SMS phishing uses cell phone text messages to deliver the bait to induce people to divulge their personal information. The hook (the method used to actually capture people's information) in the text message may be a website URL, but it has become more common to see a telephone number that connects to an automated voice response system.

The SMS phishing message usually contains something that demands the target's immediate attention. Examples include "We confirm that you have signed up for our dating service. You will be charged $2 a day unless you cancel your order on this URL: [URL]". Or (Name of popular online bank) confirms that you have purchased a computer from (name of popular computer company). Visit [URL] if you did not make this online purchase", and "(Name of a financial institution): Your account has been suspended. Call 555.###.#### immediately to reactivate". The hook will be a seemingly legitimate website that asks you to "confirm" (enter) your personal financial information, such as your credit/debit card number, CVV code (on the back of your credit card), your ATM card PIN, SSN, email address, and other personal information. If the hook is a phone number, it normally directs to a legitimate-sounding automated voice response system, similar to the voice response systems used by many financial institutions, which will ask for the same personal information.

This is an example of a (complete) SMS phishing message in current circulation: "Notice - this is an automated message from (a local credit union), your ATM card has been suspended. To reactivate call urgent [sic] at 866-###-####."

In many cases, the SMS phishing message will show that it came from "5000" instead of displaying an actual telephone number. This usually indicates the SMS message was sent by email to the cell phone rather than from another cell phone.

This information is then used to create duplicate credit/debit/ATM cards. There are documented cases where information entered on a fraudulent website (used in a phishing, SMS phishing, or voice phishing attack) was used to create a credit or debit card that was then used halfway around the world within 30 minutes.[citation needed]

On March 9, 2012 Walmart issued a Fraud Alert regarding a large number of scam texts that offer a nonexistent $1000 gift card as bait.

External links[edit]