Abstract
Short Message Service (SMS) messaging plays a key role in many people’s lives, allowing communication between friends, family and businesses through the convenient use of a mobile phone. At the same time, criminals are able to utilise this technology to their own benefit, such as by sending phishing messages that convince their victims into sharing sensitive information or installing dangerous software on their devices. Indeed, Proofpoint’s State of the Phish report found 81% of surveyed US organisations had faced smishing attacks – which is a type phishing attack via SMS message in 2020.
Although phishing is well studied, the amount of research in SMS-based phishing is somewhat limited. Therefore, this study addresses the lack of SMS-based phishing insight, investigating which techniques/tactics are used by malicious senders and honest recipients to disguise/identify SMS-based phishing. By using an online questionnaire, a total of 576 participants’ options upon 20 text messages (10 genuine and 10 phishing) were gathered. The result shows 73.4% of the SMS messages were categorised correctly; also a number of factors such as shortened URLs, inconsistent metadata/content, urgency cue, and age play a positive role in identifying phishing attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abroshan, H., Devos, J., Poels, G., Laermans, E.: Phishing attacks root causes. In: Cuppens, N., Cuppens, F., Lanet, J.-L., Legay, A., Garcia-Alfaro, J. (eds.) CRiSIS 2017. LNCS, vol. 10694, pp. 187–202. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76687-4_13
Anti-Phishing Working Group [APWG]: APWG Phishing Activity Trends Report 3rd Quarter 2019 (2019). https://docs.apwg.org/reports/apwg_trends_report_q3_2019.pdf
Balduzzi, M., Gupta, P., Gu, L., Gao, D., Ahamad, M.: MobiPot: understanding mobile telephony threats with honeycards. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 723–734 (2016). https://doi.org/10.1145/2897845.2897890
Balim, C., Gunal, E.S.: Automatic detection of smishing attacks by machine learning methods. In: 2019 1st International Informatics and Software Engineering Conference (UBMYK), Ankara, Turkey (2019).https://doi.org/10.1109/UBMYK48245.2019.8965429
Deloitte: Smartphone accessories market to ring up revenues of £1.9bn in 2020 as UK reaches ‘peak’ handset ownership (2019). https://www2.deloitte.com/uk/en/pages/press-releases/articles/smartphone-accessories-market-to-ring-up-revenues-of-1-point-9-billion-pounds-in-2020.html
Dong, X., Clark, J.A., Jacob, J.: Modelling user-phishing interaction. In: 2008 Conference on Human System Interactions, Human System Interactions, pp. 627–632 (2008). https://doi.org/10.1109/HSI.2008.4581513
Harrison, B., Svetieva, E., Vishwanath, A.: Individual processing of phishing emails. Online Inf. Rev. 40(2), 265–281 (2016)
Ho, G., et al.: Detecting and characterizing lateral phishing at scale. In: 28th USENIX Security Symposium, USENIX Security 2019, pp. 1273–1290 (2019). ISBN 978-1-939133-06-9
Inspired eLearning: Phishing Statistics – The Rising Threat to Business (2017). https://inspiredelearning.com/blog/phishing-statistics-facts/
Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77366-5_27
Jain, A.K., Gupta, B.B.: Rule-Based Framework for detection of smishing messages in mobile environment. Proc. Comput. Sci. 125, 617–623 (2018). https://doi.org/10.1016/j.procs.2017.12.079
Jakobsson, M.: Two-factor in authentication – the rise in SMS phishing attacks. Comput. Fraud Secur. 2018(6), 6–8 (2018). https://doi.org/10.1016/S1361-3723(18)30052-6
Jensen, M.L., Dinger, M., Wright, R.T., Thatcher, J.B.: Training to mitigate phishing attacks using mindfulness techniques. J. Manag. Inf. Syst. 34(2), 597–626 (2017). https://doi.org/10.1080/07421222.2017.1334499
Joo, J.W., Moon, S.Y., Singh, S., Park, J.H.: S-Detector: an enhanced security model for detecting smishing attack for mobile computing. Telecommun. Syst. 66(1), 29–38 (2017). https://doi.org/10.1007/s11235-016-0269-9
Khonji, M., Iraqi, Y., Jones, A.: Phishing detection: a literature survey. IEEE Commun. Surv. Tutor. 15(4), 2091–2121 (2013). https://doi.org/10.1109/SURV.2013.032213.00009
Kim, W., Jeong, O.-R., Kim, C., So, J.: The dark side of the internet: attacks, costs and responses. Inf. Syst. 36(3), 675–705 (2011). https://doi.org/10.1016/j.is.2010.11.003
Le Page, S., Jourdan, G.V., Bochmann, G.V., Flood, J., Onut, I.V.: Using URL shorteners to compare phishing and malware attacks. In: eCrime Researchers Summit 2018, May, pp. 1–13 (2018). https://doi.org/10.1109/ECRIME.2018.8376215
Mishra, S., Soni, D.: A content-based approach for detecting smishing in mobile environment. In: Proceedings of International Conference on Sustainable Computing in Science, Technology and Management (SUSCOM), Amity University Rajasthan, Jaipur, India, 26–28 February 2019 (2019)
Nicho, M., Fakhry, H., Egbue, U.: When spear phishers craft contextually convincing emails. In: Proceedings of the IADIS International Conference on WWW/Internet, pp. 313–320 (2018)
Patel, D., Luo, X.: Take a close look at phishing. In: Proceedings of the 4th Annual Conference on Information Security Curriculum Development, Kennesaw, GA, USA (2007)
Proofpoint: 2021 State of the Phish - An In-Depth Look at User Awareness, Vulnerability and Resilience (2021). https://www.proofpoint.com/sites/default/files/threat-reports/gtd-pfpt-uk-a4-r-state-of-the-phish-2021.pdf
Sahingoz, O.K., Buber, E., Demir, O., Diri, B.: Machine learning based phishing detection from URLs. Exp. Syst. Appl. 117, 345–357 (2019). ISSN 0957-4174. https://doi.org/10.1016/j.eswa.2018.09.029
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L., Downs, J.: Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2010, pp. 373–382. Association for Computing Machinery, New York (2010). https://doi.org/10.1145/1753326.1753383
Siadati, H., Nguyen, T., Gupta, P., Jakobsson, M., Memon, N.: Mind your SMSes: mitigating social engineering in second factor authentication. Comput. Secur. 65, 14–28 (2017). https://doi.org/10.1016/j.cose.2016.09.009
Sonowal, G., Kuppusamy, K.S.: SmiDCA: an anti-smishing model with machine learning approach. Comput. J. 61(8), 1143–1157 (2018). https://doi.org/10.1093/comjnl/bxy039
Verizon: 2019 Data Breach Investigations Report (2019). https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
Verizon: 2020 Data Breach Investigations Report (2020). https://enterprise.verizon.com/resources/reports/dbir/
Wandera: Mobile Phishing Report (2018). http://go.wandera.com/rs/988-EGM-040/images/mobile-phishing-report.pdf
Wandera: Understanding the key trends in mobile enterprise security in 2020 (2020). http://go.wandera.com/rs/988-EGM-040/images/Mobile%20Threat%20Landscape%202020.pdf
Wardman, B.: Assessing the gap: measure the impact of phishing on an organization. In: Annual ADFSL Conference on Digital Forensics, Security and Law. 2 (2016). https://commons.erau.edu/adfsl/2016/thursday/2
Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing pages (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Genuine messages.
Phishing messages.
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Clasen, M., Li, F., Williams, D. (2021). Friend or Foe: An Investigation into Recipient Identification of SMS-Based Phishing. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2021. IFIP Advances in Information and Communication Technology, vol 613. Springer, Cham. https://doi.org/10.1007/978-3-030-81111-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-81111-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81110-5
Online ISBN: 978-3-030-81111-2
eBook Packages: Computer ScienceComputer Science (R0)