These days, SMS messages are clearly the preferred way for many people to communicate, even with brands, companies, and offices with whom they do business. Your dentist might use a text message to confirm your appointment, your favorite neighborhood coffee shop might let you know they’re running a special deal for loyal customers, or your mobile carrier might let you know about a discount if you upgrade your smartphone this month. And if you’ve gotten one of these messages, you may have noticed that the sender number doesn’t always appear as a full 10-digit phone number, but may instead be a four-to-six-digit number. That short number is called a “short code.”
Numerous legitimate companies use short codes for a variety of reasons. They’re designed to be easier to read and remember than telephone numbers, and are typically unique to the businesses that use them to prevent overlap. However, legitimate companies aren’t the only ones to embrace the SMS and short code trend. Cybercriminals are also using this medium as a way to steal information and deliver mobile malware.
In an SMS phishing, or “smishing” attack, targets receive a text message that uses a short code. Often, these messages mimic the legitimate ones you might get, e.g., “Banking fraud alert: confirm your bank transaction.” This type of message would include a shortened link for you to open, but doing so would usually lead to a malicious app being installed on your smartphone. Once it’s on there, the malicious app could track your keystrokes, steal your identity, or encrypt the files on your phone and hold them for ransom. Just like with a phishing email, criminals will use SMS messages to trick users into visiting bad websites or downloading bad apps.
A trusted mobile security app can help keep you safe. But, just like with phishing emails, avoiding smishing scams requires extra vigilance on your part. For example, if you get a message from a short code with a package notification, don’t open, click, or respond to it unless you know you’re expecting a package. And even then, we recommend you err on the side of skepticism with any messages from unknown senders.