SMiShing 101: Keeping your mobile device secure

Posted on Friday, November 16, 2018 by Rebecca Kerr

By Rebecca Kerr, OSCPA communications intern

If you haven’t received a SMiShing message yet, you might think you have immunity from this type of attack. Unfortunately, this is probably not the case, starting with the different ways scammers obtain phone numbers.

Damon Hacker, president and CEO of Vestige Digital Investigations, said one way is by guessing random phone numbers to send these messages to. Another way scammers can get ahold of mobile device numbers is when individuals include them in their email signature line. Hacker said that although this inclusion might seem harmless, the number can fall into the wrong hands if an email is forwarded or intercepted.

One popular way people are compromising their mobile device numbers is through responding to short codes. Short codes usually include special offers or enter people in a contest if you use your device to send a message to the provided number. For example, if you’re at a Cleveland Indians game and respond to the prompt ‘text GO TRIBE to 55555’ for a chance to win a free beverage as displayed on the jumbotron, you could sacrifice your mobile device’s anonymity.

“Sometimes the short codes are harvesting those numbers for their own use,” Hacker warned.  “But attackers can get ahold of that database and compromise that entity.”

He advised not responding to these short codes could make the ultimate difference in whether or not you are a target. Scammers could also receive your mobile device number, as well as other personal information, by purchasing it from the dark web.

Despite its extremely descriptive name, SMiShing can take multiple forms other than the typical run-of-the-mill SMS text messaging. The use of Apple’s iMessage or popular social media platforms that have an instant messaging feature, including Instagram and Twitter, can pose a threat to falling victim to SMiShing in the same way. Even though these platforms don’t work through SMS text messaging and run on their own proprietary format, someone can send messages through these platforms and “SMiSh” the same way they could using traditional SMS.

Being knowledgeable about the nature of SMiShing and recognizing ways your phone number could be targeted for attacks is the first step in keeping your mobile device and personal information safe. Did any of the possible ways your phone number could be intercepted surprise you? Let us know in the comments.


Leave a comment