What do smishing, spoofing, and social engineering have in common?
Recognize when you're getting scammed
Unfortunately, scamming and hacking continues to develop alongside new technology. Right now, with the ongoing devastation of the COVID-19 global health crisis, there is even more opportunity for fraudsters to exploit people. Particularly, using SMS.
While most people understand basic internet etiquette regarding online safety, data protection, and cybersecurity, scammers are taking advantage and getting creative. They utilize multiple methods to gain access to people's private information, including unsuspected communication from a seemingly legitimate source and social engineering tactics.
Since the start of the year, the number of website, phone call, text message, and even fax scams have dramatically increased. Phishing scams that impersonate government entities or essential services in an attempt to obtain personal data are at an all-time high. In fact, the first quarter of 2020 saw 15 times more fraudulent emails containing fake invoices and false changes to personal details than the same period last year.
This brings us to what smishing, spoofing, and social engineering have in common. You'll need to know what each of those terms means, how they relate to scams, and why it is important to only trust verified SMS gateways, and comply with A2P messaging regulations.
Related: 'Avoid identity theft with SMS OTP'
What is social engineering?
Broadly speaking, social engineering is the art of exploiting human psychology to create inconspicuous movement. Centralized planning is used to manage social change, development, and behaviors within a society.
Concerning information security, social engineering is the use of deception to manipulate somebody into divulging confidential data or personal information for fraudulent activity.
Smishing and spoofing
Spoofing is the deceitful act of mimicking an SMS Originator (also known as SMS Sender ID) to impersonate a legitimate entity, business, or person.
Smishing is a portmanteau of 'SMS' and 'phishing', and is a form of criminal activity that combines spam, spoofing, and social engineering.
By pretending to be a trustworthy entity, fraudulent text messages are sent seeking to dupe recipients into clicking on a malicious link or attachment. The goal is to obtain access to the recipient's online systems, accounts, or personal data.
Scams
Cybercriminals focus on new technology and communication inlets to gain access to whatever they are looking for, whether it be bank account details, or off-site access to a system, etc. They utilize tools such as malware, hacking, phishing, and catfishing.
Depending on the intentions of the perpetrator, scams can be used for many different reasons. Some reasons for committing these acts include identity theft, access to financial and banking details, competitor advantage, marketing and sales purposes, to manipulate or ruin a reputation, harassment or abuse, spam, and unsolicited messaging.
Malware - by using malware or ransomware, someone can gain access to a computer without the owner's permission or knowledge. Remote access scams are common for tricking victims into paying for unnecessary software and sometimes blackmail.
Hacking - the exploitation of security weaknesses on a computer or system to gain access. Hacking includes the use of technology to break into a network, smartphone, or computer. While some hacking is ethical, such as looking for bugs and vulnerabilities in a system to correct them, most hacking occurs maliciously.
The use of malware and ransomware is popular when hacking, but social engineering and phishing are also a big part of obtaining information to complete a hack. For example, after attempting to log in with your username and password into a website that looks legitimate, that website steals the login credentials, and your personal information is now at risk of hacking.
Phishing - the intention of a 'phisherman' is to mislead by impersonating a trusted representative, brand, or person online. By targeting a large group of people and asking for them to re-confirm account details or send through unnecessary payments, the phisherman increases the chances of a 'bite', and then a 'catch'.
For example, your bank has sent out an email asking for you to confirm your date of birth by proof of identity. It says to follow the link provided and upload a copy of your driver's license. The 'bite' is if you click the link, the 'catch' is if you upload your personal information. By doing so, the phisherman now has the opportunity to commit identity theft and fraud in your name.
Catfishing - the use of fake accounts on social media and dating sites to send friend requests, lure victims into relationships under false pretenses, and gain access to personal information. Catfishing is used for many reasons, such as hacking profiles, misrepresenting victims online, asking for money, humiliation, or ruining reputations.
Related: 'SMS 2FA [Explained]'
SMS platforms have strict compliance policies
Accredited SMS platforms that send bulk messages ensure that their clients are compliant with local and international regulations regarding the content they send, to whom it is sent, and when.
It's vital that each gateway goes above and beyond to ensure message content, scheduling, and user accounts are fully compliant when transmitting A2P or P2P messages.
For example, in the USA, the TCPA and the CTIA have put in place strict guidelines around what type of content can be sent, the recipients' right to opt-in and opt-out at any time, and what kind of virtual numbers can be used to send.
When sending SMS
Sign up
Upon signing up to any SMS gateway, not only does the user have to provide account details, but they are also asked what kind of messages they will be sending, how many, and what virtual numbers they would like to use.
Understanding the intent and the content of the SMS allows the platform to allocate virtual numbers and SMS volume. Before any of these services can be used, virtual numbers must be applied for and authorized, certain content is restricted, and accounts that want to use Sender IDs must be whitelisted.
These methods are put in place to ensure the SMS gateway and its users are compliant when sending A2P and P2P messages.
Sender ID application protocol
Sender ID application protocol allows SMS platforms to verify user accounts before issuing an SMS Originator for accounts to send from. It ensures that users don't display an unauthorized business name as their own, or attempt to impersonate someone over SMS.
Contact management
When recipients opt-in for A2P SMS content to be sent to their number, most SMS platforms will automatically assign them into a contact list that receives that content. And if they choose to opt-out, merely replying to a message with 'STOP' or 'NO' automatically reallocates the contact into the opt-out list. This ensures that people are not receiving unsolicited messages after they have opted-out of an SMS subscription.
Receiving SMS
Unsure if you received an SMS from a legitimate source?
Gather evidence by taking a screenshot of the messages, then delete the suspicious message immediately. Contact the business, person, or entity that allegedly sent the message to you and confirm whether they sent it or not.
If they did not, you could provide proof of the message via the screenshot. If they did, then you can ask them to send it again, and perhaps note that you found it suspicious.
Be sure
You can usually double-check what content certain businesses will communicate over email and SMS on their website as a security measure. It's essential to understand how organizations, such as banks and government bodies, communicate with patrons. Most will explicitly state they will never ask for personal information or payments via email or text message. If they did need such information, they would provide specific instructions on how to do so safely through verified channels.
Related: 'How to improve your website's security with SMS 2FA'
Download our free eBooks and Factsheets, available in our Information Centre.