Smishing

What Is Smishing?

Smishing is phishing delivered through SMS text messages, and it is growing faster than any other phishing channel. Proofpoint's 2023 State of the Phish report found that 76% of organizations experienced smishing attacks, with click rates on malicious SMS links running 6 to 10 times higher than email phishing. The reason is simple: people trust their phones more than their email inboxes, and mobile screens make it harder to inspect URLs before tapping. In this simulation, you receive a text message that looks like a package delivery notification, a banking security alert, or an IT department password reset request. The message is short, urgent, and contains a shortened URL that obscures the real destination. On a small mobile screen, the differences between a legitimate and a malicious link are nearly invisible. You will learn to slow down your response instead of reacting to the urgency the message creates. The exercise teaches you to verify delivery notifications by going directly to the carrier's website or app rather than clicking the link, to call your bank using the number on the back of your card instead of following SMS instructions, and to forward suspicious texts to your organization's security team. You will also see how attackers register lookalike domains that differ by a single character, use URL shorteners to hide malicious destinations, and time their messages to coincide with real events like actual package deliveries or recent bank transactions to increase credibility.

What You'll Learn in Smishing

• Identify the characteristics of smishing messages including shortened URLs, urgency language, and impersonation of known services
• Verify legitimacy of SMS alerts by navigating directly to official apps or websites rather than clicking embedded links
• Explain why SMS phishing click rates are significantly higher than email phishing and how small mobile screens reduce inspection ability
• Forward suspicious text messages to your organization's security team using established reporting procedures
• Recognize timing-based smishing tactics where attackers send messages that coincide with real events to increase believability

Smishing — Training Steps

1. Introduction

   In this training, you'll experience a smishing attack orchestrated by Bob, a cybercriminal aiming to steal your credentials through deceptive tactics.

2. Receiving the Suspicious Text

   As Alice, your mobile phone suddenly buzzes on your desk, indicating a new text message. Intrigued by the unexpected notification during your busy morning, you pick up the phone to check it.

3. Clicking the Suspicious Link

   As Alice, you feel uneasy about the text message but are concerned about the supposed account issue. Pressured by the urgent tone, you decide to open the suspicious link to investigate further.

4. Viewing the Fake Login Page

   The link opens a webpage that closely mimics CypherPeak Technologies' official login portal, complete with the company's logo, colors, and layout. It prompts you to enter your username and password to 'verify' your account. Bob designed this fake site to trick you into sharing your credentials, exploiting the trust inspired by its professional appearance. The URL, http://cypherpeak-secure-login.com, differs from the official site, but the similarity is deceptive.

5. Entering Credentials

   As Alice, you're reassured by the familiar look of the webpage and, still worried about the urgent account issue, decide to enter your username and password into the fake login portal to resolve the supposed problem.

6. Encountering an Error Page

   After entering your credentials, the webpage displays an error message: 'Unable to verify account. Please try again later.' As Alice, this unexpected error heightens your worry, making you suspect something is wrong with the login process or your account. Unbeknownst to you, Bob has already captured your credentials and is preparing to misuse them. This error page is a common tactic in smishing attacks to deflect suspicion while the attacker gains access.

7. Bob Accessing the System

   Bob now uses the stolen credentials for malicious actions like data exfiltration. This demonstrates the real-world impact of smishing – beyond just login details, it can compromise entire systems.

8. Receiving the Login Alert Email

   As Alice, you open your email app the next morning and find a login alert email from CypherPeak Technologies' IT department.

9. Report the Incident

   As Alice, alarmed by the login alert email and recalling the suspicious text and error page, you decide to reply to the IT department's email to report the incident. Reporting is key to mitigation. Describe the incident accurately to help IT respond effectively. Even suspected attacks should be reported.

10. Logging into the Corporate Website

    After reporting the incident, you take immediate action to secure your account by logging into the official CypherPeak Technologies corporate website to update your password through the secure portal. To ensure safety, you manually navigate to the official website using your browser, avoiding any links from suspicious messages.