Smishing (short for SMS Phishing) is a variant of phishing email scams that uses Short Message Service (SMS) systems to send out bogus text messages. Also written as SMiShing, SMS phishing made recent headlines when a vulnerability in the iPhone's SMS text messaging system was discovered that made smishing on the mobile device possible.
Smishing scams frequently seek to direct the text message recipient to visit a website or call a phone number. At which point, the person being scammed is enticed to provide sensitive information such as credit card details or passwords. Smishing websites are also known to attempt to infect the person's phone with Malware.
SMS phishing uses cell phone text messages to deliver the bait, persuading people to divulge their personal information. The "Hook" (method used to capture people's information) in the text message may be a website URL. LUCY offers the possibility to simulate such attacks. To create a smishing campaign is the same as creating a regular Phishing Campaign. The only difference is that within the message template (former e-mail template) you have to select SMS instead of email as a delivery method.
LUCY has a built-in API that will connect to a centralized LUCY gateway when initializing SMS delivery. The gateway will first verify if the LUCY client has sufficient credits and is allowed to send SMS. If all checks pass, our gateway will connect to an international provider using a second API (MessageBird). This provider will send messages with the settings defined in your LUCY server.
American Clients:
In the United States, specific numbers are to be used with our platform under the 10DLC regime that requires registering numbers and using them for approved purposes. Numbers and fees associated with the 10DLC regime are paid for and managed by ThriveDX Enterprise. From a regulatory perspective, a 10DLC number is approved and assigned to a specific corporate entity for specific appropriate purposes. Broader 10DLC overview as follows - https://support.messagebird.com/hc/en-us/articles/208747865-United-States-10DLC-FAQ
Under this regulatory regime, there are no acceptable use agreements with specific carriers in the same way that using a credit card does not require an individual agreement with every business - the 10DLC number approved and used for specific purposes is like a passport as a verified credential to use an asset for a specific reason. Similarly, a 10DLC number is revoked if the number operates for purposes outside of its stated and approved purposes. This is the same as if a mail server spoofs email senders, and the same as having your passport no longer recognized as valid.
Other Countries:
Similarly, nations the world over have their own specific and differentiated regulatory requirements. These can limit everything from sender names, to times of day when messages are permitted, to whether links are permitted in messages, to if numbers can be ‘spoofed’.
For any of the above reasons, messages might not be delivered. In case of doubt, before testing, please consult the list of country restrictions here - https://docs.messagebird.com/connectivity-platform/country-restrictions-and-regulations
In order to use the smishing feature in LUCY, you need a:
a) Commercial license (Pro / Elite)
b) Sufficient balance
c) Prior to sending the first SMS, ensure all whitelisting of your smishing campaign is in accordance with the MessageBird country restrictions - https://docs.messagebird.com/connectivity-platform/country-restrictions-and-regulations
You can find your current credit under settings/licence:
You have a button next to the balance which enables you to buy more credits directly within the LUCY GUI.
One SMS costs 15 cents (USD).
After deciding which pricing model you need you can purchase and activate lucy in order for this feature to work.
System Setup
All SMS traffic will be routed via our default provider, MessageBird.
Due to strict regulations in France, we've integrated an Alternative French provider to enhance our service. Kindly note, utilizing this provider requires additional preparations for whitelisting. Ensure the following requirements are fulfilled prior to initiating testing.
Campaign Setup
A Smishing Campaign is not different from a regular phishing campaign. Most templates can be used in the same way. The difference is only the delivery method: within the scenario (Base Settings –> Scenario Settings –> Message Settings) you can use as a delivery method either "mail" or "sms". Choose "SMS". As a sender, you can put a name or phone number (use always the phone number with the country code: example 49 xxx). The actual phone number should have no "00" and "+" in front, i.e. 41796959611 (41 - Switzerland country code) and not 0041796959611 or +41796959611. See https://en.wikipedia.org/wiki/List_of_country_calling_codes
If the phone number is saved in the recipient's contacts, it will show the corresponding contact information upon arrival of the SMS.
Next, you will need to enter the phone number in your recipient's list. Don't forget to also set the correct language (the language should match the language chosen in General Settings (Base Settings –> Scenario settings –> Base Settings).
For further info please check out the support section at: http://support.messagebird.com/hc/en-us