Text phish messages, referred to as Smishing is a type of social engineering
attack where fake text messages are created, and used to lure users into
responding to those messages. These messages aim to obtain user credentials,
install malware on the phones, or launch smishing attacks. They ask users to
reply to their message, click on a URL that redirects them to a phishing
website, or call the provided number. Thousands of mobile users are affected by
smishing attacks daily. Drawing inspiration by the works of Tu et al. (USENIX
Security, 2019) on Robocalls and Tischer et al. (IEEE Symposium on Security and
Privacy, 2016) on USB drives, this paper investigates why smishing works.
Accordingly, we designed smishing experiments and sent phishing SMSes to 265
users to measure the efficacy of smishing attacks. We sent eight fake text
messages to participants and recorded their CLICK, REPLY, and CALL responses
along with their feedback in a post-test survey. Our results reveal that 16.92%
of our participants had potentially fallen for our smishing attack. To test
repeat phishing, we subjected a set of randomly selected participants to a
second round of smishing attacks with a different message than the one they
received in the first round. As a result, we observed that 12.82% potentially
fell for the attack again. Using logistic regression, we observed that a
combination of user REPLY and CLICK actions increased the odds that a user
would respond to our smishing message when compared to CLICK. Additionally, we
found a similar statistically significant increase when comparing Facebook and
Walmart entity scenario to our IRS baseline.Comment: CODASPY'2