What is the smishing scam and how to defend yourself

Smishing is a particular type of phishing attack that targets Post Office and Bank users. Here's how to defend yourself

Every medium is good for a phishing attack to steal access credentials to users' online accounts. Even the good old SMS message can be used for the so-called "smishing scam".

This type of scam is very simple and uses seemingly trivial methods: it involves sending an SMS to the user and convincing them to click on a link in order to send them to a website where the actual scam will take place. The problem is that, as in all cases of phishing, the average user does not dwell much on the message and instinctively clicks on the link. Our phone number, as usual, we gave it to the hackers: most likely they took it from one of our social profiles. Or, but it's a rarer case, they found it in a data packet bought on the Deep Web black market.

Smishing of Poste Italiane and Banco Posta

One of the most frequent cases of smishing is the one through which hackers try to steal our Poste Italiane or Banco Posta credentials. Obviously to drain our account. The mechanism is very simple: the SMS seems to be from Poste Italiane and warns us that there are problems with our account and we have to click on the link to change the access data and the OTP, the One Time Password for account protection.

Of course it's all fake: the sender is not Poste Italiane, there is no problem with our account and, if we click on the link, we are sent to a site that is not Poste Italiane. If we enter our data in this site, therefore, we are giving them to hackers and we can say goodbye to our savings. A variant of the SMS shows at the bottom the option to call a phone number for "assistance". In reality, it's a foreign number answered by a call center: an operator will ask us for access data promising to solve the phantom account problem. The result will be the same: drained account.

How to defend yourself from smishing

The first method to defend yourself from a smishing SMS is to make sure that you don't get the message: you should never communicate your phone number on social networks, forums and other websites. If the SMS scam reaches us anyway, we have to ignore it and delete it: neither Poste Italiane nor any bank or credit card company uses SMS for important communications.

They usually use the proprietary app that establishes an encrypted communication with the bank/post office/card servers in order to avoid someone stealing our sensitive data.