Last week, the antivirus software company McAfee announced that they’d seen several examples of malicious software targeting people via SMS. McAfee dubbed these “SMiShing attacks,” for “SMS phishing.” (Phishing is a kind of fraud where people send bogus email messages, purportedly from some official source like your credit card company or a government, to try to trick you into giving up your personal information or clicking on a dangerous URL.)
The way these attacks worked is that people would receive an SMS message saying something like “You’ve just been subscribed to a dating service!” or “This is your cell phone company. Click here to download our cell phone antivirus software.” Then, if people responded to that SMS message — either by replying to the SMS or by following the URL embedded in it — something bad would happen. In one case people were charged $2 when they tried to unsubscribe from a bogus dating service. In another case, clicking on the link loaded “Trojan Horse” software onto your phone, disabling it.
Does this mean that you need to start worrying about SMS viruses? Not really. Both attacks were fairly small, and they were limited to European cell phone users. Also, the victims had to have a particular cell phone model for the attacks to work. All in all, these were pretty weak security attacks.
Still, the attacks underscore an important lesson: Don’t act on anything in an SMS text message unless you know, and trust, the sender. Even if you get a message that says it’s from your cellular carrier, don’t click on any links in the message or reply to it. Instead, dial your carrier’s usual customer service phone number — or visit your carrier’s web site — to investigate the offer before doing anything about it.