What is smishing?

Smishing is a type of phishing to obtain confidential information (passwords, bank details, etc.) from users. The Spanish National Cybersecurity Institute (INCIBE), through its Internet Security Office (OSI), and Bank of Spain, have warned of a notable increase in smishing attacks against bank customers. Below we explain what it is and we will give you some basic security tips to protect yourself.

What is it and what is it for?

Smishing is a type of social engineering attack that is carried out via mobile phone messaging or SMS. The aim is to obtain personal information, passwords, credit card numbers and/or bank account numbers and, in general, any type of sensitive or confidential information that allows cybercriminals to commit electronic scams or fraud.

 To achieve their purpose, the attacker will use the identity of people and organisations. For example, if they want to obtain their victim's bank details in order to commit a scam or fraud, attackers will send SMS messages pretending to be that person's bank (SMS Spoofing) in order to obtain their access details for online banking (username and password) and the one-time code that is sent to the user's mobile to confirm access.

How is it done?

The attackers send messages via instant messaging or by SMS in which they pose as an organisation or entity trusted by their victims and notify you, for example, of an unauthorised charge, a fraudulent transaction, unauthorised access, or even the need for authentication or security improvements. The aim of these messages is to alarm the user so they take a certain action without giving it too much thought.

The message may ask the user to call a certain telephone number to carry out the procedure, where the details that the attacker needs will be requested; or to click on a link that will redirect to a malicious website, where the user will be asked to enter their electronic banking credentials (username and password) or other sensitive data.

Smishing is the simplest variant of this type of attack, although cybercriminals may perform more elaborate scams, such as SMS Spoofing, since these attacks are more difficult for users to detect.

With SMS Spoofing, attackers manage to make the messages appear in the name of the Bank itself, even intercepting our actual message thread with the bank. They can achieve this thanks to services that set the sender. That is, they set the user that sends the message. Therefore, it is advisable to never trust messages that ask for personal or banking information and to contact your bank through official channels to confirm whether the message was authentic, and to report the message.

Fraud through SMS with call redirection

There is a new modality of SMS fraud that, using a safety issue, cybercounts urge the user to introduce a code on the phone with which he would be configuring a redirection of calls. The number of the alleged code will be the one that receives the calls aimed at users.

The consequences of this type of fraud is that financial operations as a transfers authorization are confirmed by the attacker, assuming important economic losses for the client.

Security recommendations: how to avoid smishing

Given the high rates of smishing and SMS Spoofing, it is best to adopt some recommendations and safety habits:

  • Take a guarded approach to any messages or SMS messages asking for sensitive data, asking you to go to a website or use a QR code. If you have any doubts, it is advisable to contact the sending company or administration through its official communication channels to ensure that it is not a fraudulent activity. 
  • Do not enter configuration codes on your keyboard.
  • Never respond to requests for access details: user and password, access code that are sent by SMS to your mobile phone to confirm transactions or procedures, and never provide any other personal or banking details
  • Do not click on links to websites that are sent to you via instant messaging or  sms, or by email. Go to the page you are looking for directly through a browser or a search engine and not through suspicious links or QR codes.
  • Set up alerts on your banking app to detect unauthorised access or transactions. 
  • If in doubt, contact the bank or organisation through its official communication channels (customer service number, contact via website or email). 
  • Remember that, as a banking institution, Banco Santander will never ask you for your banking details via text message or unexpected telephone calls.

At Banco Santander we have a telephone number for this type of report. If you suspect that you have received a Smishing or SMS Spoofing, forward the SMS to 638 444 542.

Remember that you can also report suspicious emails to the phishing@gruposantander.es mailbox. If you have given confidential data, keys, passwords or detect unwanted movements in your accounts, call Superlínea 915 123 123.


You might be interested in