Smishing
Last updated
Was this helpful?
Last updated
Was this helpful?
SMS-based attacks involve deceptive messages that appear to come from legitimate sources, such as banks, delivery services, or trusted institutions, to trick recipients into providing sensitive information or clicking on malicious links. In the context of Lucy, a smishing attack can be a or attack.
Before initiating any SMS campaigns, it's essential to submit whitelisting information to the SMS providers. This step ensures that your campaign's traffic is permitted across all relevant carrier networks, preventing potential delivery issues or restrictions.
Ensure to allocate a minimum of 4 weeks for the completion of the whitelisting process.
Shortening the URL helps keep your SMS under the character limit.
SMS are more strictly controlled than emails. Carriers will reject your messages unless you use a registered sender. The process for each SMS provider is as follows:
Once your information has been successfully whitelisted you will then be able to initiate your smishing campaign. This can take as little as 4 days or as long as 4 weeks, it depends on the country or countries in question and their response time to the request.
Your SMS will not be delivered without a registered sender.
The originator can be an Alphanumeric string (ex BrandName), Shortcodes (ex 1234), or Mobile virtual numbers.
The country where the company owning the originator is registered.
The Legal Name of the company owning the originator
The corporate URL of the company owning the originator.
Agriculture, Education, Technology, etc.
Any URL that may be contained in the SMS specifically sent with the Originator you are registering. In Lucy, this will be the value of the %link% variable.
Any other URLs present in the message.
How SMS is used in your service. If you need to clarify any answer provided in any other fields, you can do so here. If the originator / brand you are registering differs from the legal company name or URL please explain why it is so in the description. The lack of relationship between registering companies and originator is the most common cause for rejection.
A copy of the SMS you will send in the campaign.
To help employees recognize and respond to hyperlink phishing attempts effectively, the following user detection methods can be incorporated into training programs:
Unfamiliar numbers Be cautious of text messages from unknown or unrecognized phone numbers, especially if they ask for sensitive information or contain urgent requests.
Spelling and grammar errors Smishing messages often contain unusual grammar, spelling mistakes, or awkward phrasing, which can indicate a fraudulent source.
Verify links before clicking Hover over or long-press any links in the message to inspect the URL. Fraudulent links often use misspelled brand names or suspicious web addresses.
Be wary of urgency Smishing attacks commonly try to create a sense of panic or urgency, pushing users to act without thinking. Messages that demand immediate action, like "Your account will be locked," should be treated with suspicion.
Avoid sharing personal information Legitimate organizations rarely ask for sensitive information (like passwords or credit card details) via SMS. Always verify through official channels if you're unsure.
Cross-check with official sources If a message claims to be from a known service or institution, contact them directly using their official website or customer support to confirm its legitimacy.
Choose your country to see the specific .
Provide all necessary information to our so they can register an originator (sender) for you. See below for details.