A smishing attack basically means to do a phishing attack with the help of SMS. In this attacker sends an SMS to the victim with a link to a fake website or you will be tricked into downloading malware which will compromise your phone and let the hacker access your device. Smishing means “SMS+Phishing”.
How it works?
- An Attacker will create an SMS which will consist of some social engineering text and a link.
- The link will take you to a website and possibly download the malware into your phone or will take you to a phishing website.
- As soon as you install the malware on your phone your phone will be compromised and the hacker can access your phone.
Examples Smishing scenarios
Lets create a smishing scenario
So lets say I am hacker and you are the victim
I send you a text message with a following content.
“Your subscription for daily jokes have been renewed on $2/Day which will be deducted from your mobile balance
To stop the subscription please follow the link
“Phishing Link” “
Now any person will click the link to stop the subscription and you clicked the link and my link will take you to a website that will automatically download malware to your phone and if you install the malware your phone will be compromised.
My phishing link will take you to a phishing website that will ask your Gmail login to end the subscription, and you will end up giving me your credentials. This will be very dangerous as now I can log in with your credentials and do all sorts of works.
You can create you malware application from metasploit.
NOTE-> Do not try this without consent.
How to be Safe?
- Do not click on any untrusted link from SMS.
- Never use your phone number on untrusted websites.
- Never install a shady application on your phone.
- Always use two-factor authentication.
- Be aware.