A member of our leadership team received a SMiShing (SMS Phishing) message that appeared to be from the Royal Mail, and almost clicked it.
Phishing scams, including SMiShing attacks, are one of the most common ways threat actors attempt to steal personal information, which threatens the security of both individuals and organisations. Read on to hear how one of our team almost fell for a recent SMiShing attack, in our real life SMiShing attack example.
The SMiShing attack
Below, you can see the SMiShing text that was sent to one of our leadership team members.
It reads: “Royal Mail: Your Package Has A £2.99 Unpaid Shipping Fee, Pay Now at royalmail-scheduled-delivery.com, If not paid a return to sender will be requested.”
Clicking the link takes the recipient to a very convincing fake mobile site.
From a social engineering perspective, you have to admire the tactics employed. The SMiShing text was sent late in the evening to catch people when they may not be at their mental best, but not so late that everyone would be asleep.
‘Royal Mail:’ is the first thing a recipient would read, and if the text is only given a cursory, tired-eyed scan, ‘royalmail’ is the only part of the URL they may pick up.
The message also conveys a sense of urgency (i.e. ‘if not paid…’), which is a tactic commonly employed by threat actors to pressure recipients into complying.
Spoofing the Royal Mail is a clever strategy to achieve maximum applicability and impact. It’s the same reason that SMiShing texts and phishing emails often come from companies like Amazon; almost everyone has used the Royal Mail or Amazon at some point.
Shaun Peapell, Rootshell Security’s VP of Global Threat Services went on to say: “SMiShing attacks are a very powerful tool to socially engineer the target victim. These attacks can also become very personal, where the attacker can potentially ‘spoof’ the originator or sender’s number by manipulating the 11 character / number identifying the caller. By doing so, an SMS text can often fool the most diligent user!”
Worried about SMiShing attacks? Find out how you can protect your organisation.