Smishing and phishing: definition, key differences and examples

IN THIS ARTICLE
Table of Contents
Like it? Share it

Although Google blocks approximately 100 million spam emails every day, phishing was still the most common form of cyber attack across the world last year. Smishing also rose by 24% last year – making businesses feel like they are being attacked from all angles. The first step to fraud prevention is knowing all you can about smishing and phishing. Then, it’s about putting in place the right prevention and detection measures. This includes real-time monitoring, employee training, and due diligence.

Trustpair blocks the financial effects of fraud by continuously controlling payments before they’re executed and stopping payments to unknown third parties. Contact an expert to learn more!

Nouveau call-to-action

What is phishing?

Phishing is a type of impersonation fraud with the intention to gain sensitive information or money from an individual or a business. Typically, the cybercriminals send out scam emails and pretend to be a known source in order to dupe victims into giving away their information.

From a business perspective, falling victim to a phishing event costs an average of $4.35 million each time. But more than the initial financial effects, further devastation can occur through the reputational damage caused. In fact, 60% of companies had to raise the price of their products and services after a data breach caused by phishing. This only further exasperates customers’ disapproval, as perceived trust goes down and consumers are pushed to look elsewhere.

Example of phishing

In some cases, the phishing email will outright ask for a transfer. For example, many CEO’s emails have been spoofed, and phishing perpetrators have targeted financial controllers by impersonating their CEOs. These high-profile targets, like CEOs and celebrities, are known as whaling targets.

“Hi Dave,

Sorry to catch you on a weekend but I need you to submit an urgent payment for me. We’ve been in acquisition talks for a while so this is strictly on a need-to-know basis but we’re about to expand in North Carolina. Are you available to make the payment?

[Here are the account details], and the amount is $119,833.

Could you let me know when you’ve made the transfer so that I can finalize the acquisition? I’ll talk you through the details on Monday.
Thanks.”

In fact, the Austrian aerospace engineering company FACC was hit by this exact scam in 2016. Unfortunately, this fake acquisition project appeared to be coming from the CEO, using a spoofed email address. It led to the transfer of over $40 million, and the firm was only able to block around $10 million of the funds actually leaving the accounts.

On top of initial losses though, perceived public trust decreased so much that the company lost partners, suppliers, and customers. They reported losses of over $23 million for the financial year and fired the CEO for white-collar related crimes.

 

What is smishing?

Smishing is one type of phishing, but instead of email, it’s perpetrated over text messages (smishing stands for SMS phishing). It’s therefore very similar to phishing with the same types of dangerous effects.

The average amount of spam texts received by every American in 2020 was 14.7 per month, so it’s almost every other day that we all deal with this type of threat. And the bombardment technique is clearly working; one bank in Singapore lost over $13.7 million. The criminals impersonated the bank itself, and over 790 customers fell victim to a smishing scam.

Smishing texts can include malicious links which can open up your device to ransomware. For example, some links redirect to fake sites and encourage users to input their details, which might then be used for identity fraud.

Alternatively, if the pretender has a convincing ruse, the text might just directly ask for a money transfer or the information required to defraud the victim. In this case, the scam might be described as spear phishing. That’s because the hackers would have to find out lots of information about their targets before beginning their attack.

Example of smishing

A very common smishing scam has been doing the rounds recently, targeting parents:

“Hey mom, it’s me.
My phone was stolen last night so I’m on my friend’s phone but all my banking apps are locked on my phone. Would you be able to send me $200 to a new account for the week JUST to cover me and I promise I’ll pay you back? Love you”

This type of scam looks legitimate and uses social engineering tactics to play on the heartstrings of parents. Due to the urgent nature of the message, it’s unlikely that the victim would question anything until after they have sent the money.

Criminals send this type of message in a “spray and pray” approach, by mass texting thousands of potential victims at once. Those without kids would simply ignore the message, but due to the high volume, there’s likely to be at least one successful smishing per attempt.

 

What are the key differences and similarities between phishing and smishing?

When it comes to phishing and smishing (and even vishing: voice phishing over the phone), there are lots of similarities.

Similarities

Both of these scams rely on social engineering tactics to play on the emotions of the victim. Phishing and smishing perpetrators both ask for sensitive information or the transfer of funds, and target both individuals and businesses.

In Minnesota, executives from a drug company were targeted by fraudsters who pretended to be their CEO and requested funds. They leaned on the social engineering element by hacking into a legitimate third party to the drug company; their law firm. Posting further instructions on how to wire the funds, this double-edged sword approach swindled the victims out of $39 million.

Differences

Although smishing and phishing are fairly similar, it’s the differences that could catch out firms, as both threats exploit companies in different ways.

While businesses should protect their email channels against phishing, they might not be as knowledgeable on how to protect their employees’ personal phones from smishing. But since most workplaces have a closed Wi-Fi system, it’s important to think about how a compromised device could affect the entire network.

Moreover, most of the time, phishing fraudsters will impersonate a professional figure in order to ask directly for a fund transfer. Instead, smishing perpetrators are more likely to include malicious links in their attempts. It’s much harder for the recipient to verify whether a link is malicious before they click on it on a mobile device rather than a computer, so anti-smishing awareness is key here.

Difference or Similarity? Phishing Smishing
Difference Perpetrated through email channels Perpetrated through text message (SMS) channels
Difference Sometimes includes malicious links which can download malware onto the device, but also the criminals ask for information or money outright Often include malicious links which redirect to capture victim’s passwords and data without them knowing
Difference Typically target computers Typically target phones
Similarity Use social engineering techniques like urgency to convince the victim Use social engineering techniques like urgency to convince the victim
Similarity Require sensitive information or money transfers Require sensitive information or money transfers
Similarity Can target businesses or individuals Can target businesses or individuals

 

How can you prevent smishing & phishing?

Prevent smishing and phishing by setting up your business for success. This means installing proper fraud prevention measures, while also working on your detection strategy.

Fraud prevention strategies

Fraud prevention best practices mean doing your due diligence. As organizations, we all operate with partners and collaborate with third parties. However, ensuring that full due diligence checks are done to secure these third parties is one of the most important steps to take.

Due diligence can include Ultimate Beneficial Owner checks, and compliance with SOX Law. But taking this one step further, companies that wish to integrate their services with third parties should find out about the operating procedures and anti-fraud measures in place. This way, your branch can plug any vulnerabilities before you sign the dotted line.

Moreover, fraud awareness training plays a key part in prevention. That’s because regular training sessions are a constant reminder of the threat, and can help your employees know what to do if they’ve been targeted.

However, it’s important to extend your fraud awareness sessions to everyone at the firm. Only 14% of Board of Directors received fraud training last year, but these senior members are likely to be targeted by phishing, since they have approval and payment-making responsibilities.

Learn all there is to know about payment fraud and how to fight it in our latest fraud report!

fraud study us

Fraud detection

In terms of fraud detection measures, automated software is the best choice.

Platforms like Trustpair continuously monitor third-party activities, in order to track normal activities and spot red flags. When payment details for a supplier don’t match the global databases, we block the payment from leaving the business’ account. It means that even if one of your employees is compromised by phishing or smishing, the financial accounts are protected in a virtual vault.

Demo Trustpair today to find out how to protect your business.

 

To conclude…

Phishing and smishing are two forms of fraud that attempt to leave businesses compromised or steal bank account information. They are perpetrated through scam emails or unsolicited fake text messages and fraud detection and prevention measures are best to protect your business.

You’d like these articles

FAQ
Frequently asked questions
Browse through our different sections and find the answer to your question.

A common smishing scam that businesses fall for involves the impersonation of the IRS. The fraudster sends a text message stating that all individuals at a specific workplace are coming under investigation, hoping at least one of these employees clicks on a malicious link in the message and inputs their details. If successful, the scammers could make off with confidential business information alongside personal social security numbers, credit card information, and more.

Smishing is a type of phishing perpetrated through text messages, instead of emails. One example is when cybercriminals pretend to be a financial institution like a bank and tell a victim that their payment has failed. This instructs the victim to input their real account data, which the fraudsters can then use to defraud the victim.

Smishing targets mobile phones through text messages but phishing targets computers by email. Both are impersonation scams where the perpetrator pretends to be someone close to the victim, in order to compromise the victim’s security.