Specialized Attack Simulations

Smishing – SMS Phishing

  • May 9, 2025
  • 0

Sherlocked Security – Smishing / SMS Phishing

Simulating SMS-Based Social Engineering Attacks to Test User Awareness and Response to Malicious Links and Requests

1. Statement of Work (SOW)

Service Name: Smishing / SMS Phishing
Client Type: Organizations with Mobile-Dependent User Bases, Financial Institutions, E-commerce, Healthtech
Service Model: SMS Phishing Simulation + Malicious Link Testing + User Awareness Assessment
Compliance Coverage: GDPR, SOC 2, PCI-DSS, HIPAA, ISO 27001

Testing Areas:

  • SMS Phishing Attack Simulation
  • Malicious Link Delivery
  • Elicitation of Sensitive Information (Login Credentials, OTPs, Personal Information)
  • Social Engineering via SMS
  • Security Awareness Evaluation

2. Our Approach

[Reconnaissance] → [Target Profiling] → [SMS-Based Phishing Attack Simulation] → [Link and Data Elicitation] → [User Response Testing] → [Security Awareness Evaluation] → [Report Generation & Recommendations]

3. Methodology

[Target Identification] → [SMS Phishing Campaign Setup] → [Phishing Link Delivery] → [Sensitive Information Elicitation] → [User Response Assessment] → [Reporting & Recommendations]

4. Deliverables to the Client

  1. Smishing Attack Simulation Results
  2. Security Awareness Score for Employees / End-Users
  3. Phishing Link Click-Through Rates and User Behavior Insights
  4. Report on Sensitive Data Elicitation (Credentials, OTPs)
  5. Remediation Plan for Awareness Training and Mitigation of Risks
  6. Recommendations for Strengthening SMS-based Authentication
  7. Suggested Process Improvements for Reporting Suspicious SMS

5. What We Need from You (Client Requirements)

  • List of target phone numbers (employees, end-users, or customer base) for simulated attacks
  • Access to any SMS-based user communication systems (e.g., OTP delivery services, customer alerts)
  • Details of any existing SMS-based authentication mechanisms
  • NDA and scope confirmation

6. Tools & Technology Stack

  • Smishing Campaign Tools: SpoonFed, Social-Engineer Toolkit (SET), Gophish, Evilginx
  • SMS Delivery Platforms: Twilio, Nexmo, Plivo
  • Link Tracking: Google Analytics, Bitly
  • Malware Payload Delivery: Custom Link Payloads, Legitimate Service Spoofing
  • Mobile Device Testing: Mobile Testing Frameworks (Android, iOS), Burp Suite

7. Engagement Lifecycle

1. Pre-Engagement Target Profiling → 2. SMS Phishing Simulation Setup → 3. Malicious Link Delivery → 4. Sensitive Information Elicitation → 5. User Response Testing → 6. Reporting and Recommendations → 7. Post-Engagement Awareness Training

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Realistic Smishing Attacks Execute SMS phishing campaigns designed to mirror real-world tactics, from fake promotions to urgent security alerts.
Link and Payload Testing Assess how users interact with malicious links, tracking click-through rates and data entered.
User Security Awareness Testing Measure employee or end-user ability to identify malicious SMS and avoid data breaches.
In-Depth Reporting & Recommendations Provide detailed insights into user behaviors, with tailored recommendations for improving defenses against smishing.

9. Real-World Case Studies

E-commerce Smishing Scam

Issue: Attackers sent SMS messages offering fraudulent discounts, prompting users to click on malicious links for coupon redemption.
Impact: Multiple users entered payment information on spoofed e-commerce sites.
Fix: E-commerce platform added SMS authentication for high-value transactions, enhanced user education, and implemented anti-phishing SMS detection.

Financial Institution Smishing Attack

Issue: Attackers impersonated a bank and requested users to "verify" their account details via a link in an SMS.
Impact: Users entered login credentials and OTPs on the phishing site, leading to unauthorized access to accounts.
Fix: The bank implemented out-of-band authentication methods (e.g., app-based verification) and user training on SMS-based phishing.

10. SOP – Standard Operating Procedure

  1. Target Profiling & Identification

    • Identify users or customers who will be targeted for SMS phishing simulations.
    • Analyze available public information (e.g., phone numbers, job roles) to tailor the messages.

  2. SMS Phishing Campaign Setup

    • Use SMS delivery platforms (e.g., Twilio, Plivo) to send simulated phishing messages.
    • Design SMS content to look like legitimate messages (e.g., system alerts, special promotions, account verification).
    • Include malicious links or phone numbers to be tracked during the simulation.

  3. Link Delivery & Payload Execution

    • Craft links that mimic trusted services (e.g., payment portals, bank login pages).
    • Ensure the link points to a custom landing page that tracks user behavior and extracts sensitive data if entered (e.g., login credentials, OTPs).

  4. Sensitive Data Elicitation

    • Elicit sensitive data such as usernames, passwords, and OTPs.
    • If possible, simulate authentication steps to collect information from users, assessing their response to SMS phishing tactics.

  5. User Response Assessment

    • Track how users respond to the phishing attempt:
      • Click-through rates on malicious links.
      • Submission of personal data (login credentials, OTPs, etc.).
      • Reporting of the phishing attempt (or lack thereof).
    • Evaluate employee awareness and decision-making during the attack.

  6. Reporting & Recommendations

    • Generate a comprehensive report on the campaign results, detailing:
      • User click-through rates and data submitted.
      • Security weaknesses in user behaviors and awareness.
      • Recommendations for better SMS phishing defenses and improvements to SMS-based authentication systems.
    • Provide remediation suggestions, including user education, security protocols, and improvements in the detection of fraudulent SMS.

11. Smishing / SMS Phishing Checklist

1. Phishing Message Design

  • Craft realistic SMS phishing messages that resemble common alerts (e.g., account security alerts, order confirmations, fake promotional offers).
  • Mimic well-known brands or institutions (banks, e-commerce platforms, government bodies).
  • Include urgent language (e.g., “Account Suspended,” “Immediate Action Required,” “Claim Your Reward Now”).

2. Malicious Link Delivery

  • Use SMS delivery platforms (e.g., Twilio, Plivo) to send the phishing messages to the identified targets.
  • Include a tracking link that mimics a trusted site but leads to a custom landing page designed to collect user data (e.g., login credentials, OTPs).
  • Use link shorteners (e.g., Bitly) or custom domains to obscure the destination URL, making it harder for the target to recognize the malicious link.

3. Payload Execution & Data Elicitation

  • Ensure that the landing page collects sensitive user data if entered (e.g., username, password, OTP).
  • Set up payloads that mimic genuine login forms or authentication pages to maximize data collection.
  • Track user interactions and gather data such as IP addresses, time spent on the page, and form submissions.

4. User Response Tracking

  • Monitor user interaction with the SMS (click-through rates, form submissions, reporting behavior).
  • Evaluate how quickly users report phishing attempts and whether they follow proper reporting procedures.
  • Track if users attempt to verify the legitimacy of the message (e.g., calling the organization, checking the website directly).

5. Awareness & Education

  • Test employee security awareness by measuring their ability to detect and respond to suspicious SMS phishing attempts.
  • Provide post-engagement education to raise awareness about smishing threats and the importance of vigilance when receiving unsolicited SMS messages.
  • Recommend enhanced security measures, such as SMS-based authentication, and suggest training programs for users on recognizing phishing attempts.
Insider Threat Wargames
Vishing - Phone-Based Phishing