Smishing, also known as SMS phishing, is a type of fraudulent communication
in which an attacker disguises SMS communications to deceive a target into
providing their sensitive data. Smishing attacks use a variety of tactics;
however, they have a similar goal of stealing money or personally identifying
information (PII) from a victim. In response to these attacks, a wide variety
of anti-smishing tools have been developed to block or filter these
communications. Despite this, the number of phishing attacks continue to rise.
In this paper, we developed a test bed for measuring the effectiveness of
popular anti-smishing tools against fresh smishing attacks. To collect fresh
smishing data, we introduce Smishtank.com, a collaborative online resource for
reporting and collecting smishing data sets. The SMS messages were validated by
a security expert and an in-depth qualitative analysis was performed on the
collected messages to provide further insights. To compare tool effectiveness,
we experimented with 20 smishing and benign messages across 3 key segments of
the SMS messaging delivery ecosystem. Our results revealed significant room for
improvement in all 3 areas against our smishing set. Most anti-phishing apps
and bulk messaging services didn't filter smishing messages beyond the carrier
blocking. The 2 apps that blocked the most smish also blocked 85-100\% of
benign messages. Finally, while carriers did not block any benign messages,
they were only able to reach a 25-35\% blocking rate for smishing messages. Our
work provides insights into the performance of anti-smishing tools and the
roles they play in the message blocking process. This paper would enable the
research community and industry to be better informed on the current state of
anti-smishing technology on the SMS platform