Smishing
Understanding the Attack
SMS-based attacks involve deceptive messages that appear to come from legitimate sources, such as banks, delivery services, or trusted institutions, to trick recipients into providing sensitive information or clicking on malicious links. In the context of Lucy, a smishing attack can be a hyperlink or data-entry attack.
Checklist
Enable the bit.ly URL shortener in the attack scenario settings
Shortening the URL helps keep your SMS under the character limit.
Registered Senders
SMS are more strictly controlled than emails. Carriers will reject your messages unless you use a registered sender. The process for each SMS provider is as follows:
Choose your country to see the specific requirements for SMS campaigns.
Provide all necessary information to our technical support team so they can register an originator (sender) for you. See below for details.
Once your information has been successfully whitelisted you will then be able to initiate your smishing campaign. This can take as little as 4 days or as long as 4 weeks, it depends on the country or countries in question and their response time to the request.
If you opt for the Custom integration using your own MessageBird account, you will need to directly submit your whitelisting information to MessageBird Support.
Registered Originator (Sender) Information
Your SMS will not be delivered without a registered sender.
Originator
The originator can be an Alphanumeric string (ex BrandName), Shortcodes (ex 1234), or Mobile virtual numbers.
Originator Legal Company Country
The country where the company owning the originator is registered.
Originator Legal Company Name
The Legal Name of the company owning the originator
Originator Corporate URL
The corporate URL of the company owning the originator.
Industry Vertical
Agriculture, Education, Technology, etc.
Call to Action URL
Any URL that may be contained in the SMS specifically sent with the Originator you are registering. In Lucy, this will be the value of the %link%
variable.
Other CTA(s)
Any other URLs present in the message.
Description of Use Case
How SMS is used in your service. If you need to clarify any answer provided in any other fields, you can do so here. If the originator / brand you are registering differs from the legal company name or URL please explain why it is so in the description. The lack of relationship between registering companies and originator is the most common cause for rejection.
SMS Template
A real example of what your SMS will look like.
User Detection Methods
To help employees recognize and respond to hyperlink phishing attempts effectively, the following user detection methods can be incorporated into training programs:
Unfamiliar numbers Be cautious of text messages from unknown or unrecognized phone numbers, especially if they ask for sensitive information or contain urgent requests.
Spelling and grammar errors Smishing messages often contain unusual grammar, spelling mistakes, or awkward phrasing, which can indicate a fraudulent source.
Verify links before clicking Hover over or long-press any links in the message to inspect the URL. Fraudulent links often use misspelled brand names or suspicious web addresses.
Be wary of urgency Smishing attacks commonly try to create a sense of panic or urgency, pushing users to act without thinking. Messages that demand immediate action, like "Your account will be locked," should be treated with suspicion.
Avoid sharing personal information Legitimate organizations rarely ask for sensitive information (like passwords or credit card details) via SMS. Always verify through official channels if you're unsure.
Cross-check with official sources If a message claims to be from a known service or institution, contact them directly using their official website or customer support to confirm its legitimacy.
Last updated