Smishing (text message phishing) continues to grow in popularity. Smishing attacks can be difficult to catch, especially because both legitimate and phishy text messages tend to use shortened URLs. A URL is the web address of a page. Typically, the URL shows you where a link will take you. For example, a URL like https://link.zixcentral.com/u/8f2d7728/jkMRr76t6xG8gMT0IYY8jw?u=https%3A%2F%2Fblog[dot]knowbe4[dot]com/why-should-we-care-about-personal-smishing-attacks will take you to a KnowBe4 blog post about personal smishing attacks.
Because text messages have character limits, including a full URL is not practical. Instead, URL shortening programs are used to create a redirect link. For example, this shortened URL https://link.zixcentral.com/u/c8a9886b/_hwSr76t6xG8gMT0IYY8jw?u=https%3A%2F%2Fbit[dot]ly/3gUpTk1 will redirect you to the blog post mentioned above—or will it? There is no way for you to know where that shortened URL will send you. Cybercriminals often use this technique to redirect you to a malicious website or to a download page for malware. Don’t be fooled!
Follow these tips to spot a potential Smishing attack:
- Think before you click. Were you expecting this message? When did you give this company your phone number? Did you sign up for text notifications?
- Be cautious of a sense of urgency. The bad guys often use words like “urgent” or “ATTENTION” to try and trick you into impulsively clicking a malicious link.
- If you think the text message could be legitimate, try typing the shortened URL into a URL expander tool, such as GetLinkInfo or ExpandURL. These tools will reveal where the shortened URL will direct you, without taking you to the redirected site.
Stop, Look, and Think. Don’t be fooled.
The KnowBe4 Security Team