Smishing is on the rise. Every time we post a smishing example on this blog we strive to do our part in sharing "pattern recognition" tips that make unsafe messages obvious. Today is another one of those days: we've got a typical smishing example for you, but we'll dissect it in great detail including at least seven warning signs that the message is probably unsafe (if need a brief primer on smishing first, head over here).
None of these seven warning signs are so strong that they would (individually) predict with 100% accuracy that the message is unsafe. However, when considered as a group, it becomes pretty obvious that this particular message is a smishing attempt. Here's the initial message:
Now, let's get busy taking this message apart, identifying what's suspicious about it!
It doesn't look like you have the sender in your contact list, as evidenced by the phone number showing (instead of some company or person name). Of course that's not conclusive evidence that this message is unsafe, but it should put you on alert to look for additional warning signs that suggest danger ahead.
Building upon your prior intuition, notice that there are no prior text messages from this number before, in either direction. No prior messages from the sender to you. No prior messages from you to the sender. Again, this isn't conclusive evidence of danger, but it's enough to make you a little more suspicious and especially focused on the rest of the message to gauge safety. This is starting to feel like other smishing examples you've seen before.
That's weird. This message is formatted a little bit like an email. FRM (from?)... SUBJ (subject?)... MSG (message?). If this is really from a credible financial institution, they sure do have a strange way to make the message feel user-friendly. Either this is the most robotic unfriendly message from a bank ever, or it's a smishing. At this point, you are starting to think that this looks like other smishing examples you've seen, but still reading along to gather more context.
Now this looks very suspicious. The message is about a product you don't know of, or use, and it's financially-oriented. Whoa, danger ahead! You've seen smishing examples before -- and a high percentage of them involve financial-oriented fraud. There is no possible reason why you should even consider interacting with this sender.
You've already concluded that the message shows all of the warning signs of being a smishing example, but you continue reading anyway (with no intention of actually responding to the message). Your fears that this is a case of smishing are further confirmed, when you spot an absurdly odd / unusual unique identifier in the message. It's almost like the cyber attacker needs to be able to uniquely identify who they are communicating with, amongst the hundreds of thousands of people that they've sent this attack to! (hint: that's exactly what's happening - this is a classic case of a bulk smishing attempt)
As if the prior five reasons wheren't enough, here's one that solidifies the conclusion that this is a smishing attempt. What multi-billion-dollar bank messes up their own branding, in a message to a consumer? Having a customer-facing person at Citibank approve an outbound text message referring to their organization as CITI-BANK, is about as likely as, well, we'll hold off on other obvious branding no-no's to avoid upsetting large companies with many more lawyers than we have.
This one seals it. A financial institution, with whom you supposedly have an account, that is so unsure of their customer service systems that they have to list two possible follow-up phone numbers -- neither of which is a 1-800 number? No way. Not buying it. This smishing example is completely unsafe.
We hope that after reading this post, you'd never fall for this smishing example or anything like it. If you've got any other smishing examples that you'd like us to dissect on this blog, we're all ears.