SMS fraud, or “smishing”, is on the rise in many countries, fuelled by the increasing use of smartphones. And it is posing a problem for telecoms operators worldwide.

Also known as “SMS phishing”, it is a form of cybersecurity attack carried out over mobile text messaging and targeting both individuals and corporations.

Smishing, of course, is a play on the word “phishing”, the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information such as passwords and credit card numbers.

“In a smishing attack, cybercriminals send deceptive text messages to lure victims into sharing personal or financial information, clicking on malicious links, or downloading harmful software or applications,” Stuart Jones of US cybersecurity firm Proofpoint told AFP.

What is the scale of smishing?

Smishing has grown rapidly in recent years, particularly during the pandemic, owing to the explosion in smartphone use for administrative procedures and internet purchases.

According to a study carried out in 10 countries by the Mobile Ecosystem Forum, a telecoms-industry trade association, 39% of consumers were confronted with at least one SMS scam attempt last year.

An average of between 300,000 and 400,000 SMS attacks take place every day, according to Proofpoint, and that figure is expected to rise.

In the United States alone, smishing cost consumers some US$330 million in 2022, more than double the losses reported in the previous year and nearly five times the amount lost in 2019.

Why is it so worrying?

Smishing is considered more dangerous than email scams because it is more difficult to identify the perpetrators, and because victims tend to think that their number can only be used by known people or organisations.

“Many people still have a high level of trust in the security of mobile communications,” Jones said, pointing out that click rates on URLs sent in mobile messages are as much as eight times higher than those in email.

Authorities also point to the growing sophistication of SMS attacks, with fraudsters using companies that specialise in the sale of personal data, or devices reserved for the army or police.

Smishing rings have been known to use so-called “IMSI catchers”, also known as “stingrays”, which mimic mobile phone towers to intercept communications from smartphones over a radius of 500m.

How can smishing be fought?

Many countries have set up reporting platforms to which people can forward suspicious SMS messages, leaving it up to the authorities to block the numbers.

Image-conscious telecoms operators have also set up teams capable of filtering out some of the fraudulent SMS messages, aided by the reporting tools of operating systems such as Android and iOS, and messaging systems such as WhatsApp.

However, this task often turns into a cat-and-mouse game, with fraudsters constantly changing their numbers. Scammers also take advantage of differences in laws across the globe to get away with their attacks.

“While regulators in Europe, the US and China have been tightening the rules, other regions such as Africa and Latin America find themselves with limited regulatory frameworks,” the ITW Global Leaders’ Forum, a network of telecoms executives, wrote in a report.

One of the keys to fighting smishing is prevention, experts say.

“Consumers need to be very sceptical of mobile messages that come from unknown sources. And it’s important to never click on links in text messages, no matter how realistic they look,” Jones concluded.