Ashfak Md Shibli

Mir Mehedi A. Pritom, Seyed Mohammad Sanjari, Maraz Mia et al.

SMS Phishing (also known as 'smishing') is a growing deceptive social engineering (SE) attack that leverages mobile SMS to conduct cybercrimes such as stealing sensitive information or spreading malware by tricking users into interacting with attackers' messages (e.g., responding to or clicking URLs). This threat has increased rapidly in recent years, causing $470M in financial losses for United States users in 2024 alone. This threat is also evolving rapidly, meaning that attackers continually adapt their tactics, reshaping the landscape. There is a significant body of literature on investigating smishing attacks and defenses. However, there is no systematic review that reflects the current attack and defense landscape along with available resources (i.e., relevant datasets). This motivates us to systematize the current smishing research efforts, including the following four research pillars: (a) user perception and susceptibility, (b) attack characterization, (c) defense landscape, and (d) smishing datasets. This leads us to propose novel future research directions towards effectively mitigating smishing attacks.

Ashfak Md Shibli, Mir Mehedi A. Pritom, Maanak Gupta

SMS phishing, also known as "smishing", is a growing threat that tricks users into disclosing private information or clicking into URLs with malicious content through fraudulent mobile text messages. In recent past, we have also observed a rapid advancement of conversational generative AI chatbot services (e.g., OpenAI's ChatGPT, Google's BARD), which are powered by pre-trained large language models (LLMs). These AI chatbots certainly have a lot of utilities but it is not systematically understood how they can play a role in creating threats and attacks. In this paper, we propose AbuseGPT method to show how the existing generative AI-based chatbot services can be exploited by attackers in real world to create smishing texts and eventually lead to craftier smishing campaigns. To the best of our knowledge, there is no pre-existing work that evidently shows the impacts of these generative text-based models on creating SMS phishing. Thus, we believe this study is the first of its kind to shed light on this emerging cybersecurity threat. We have found strong empirical evidences to show that attackers can exploit ethical standards in the existing generative AI-based chatbot services by crafting prompt injection attacks to create newer smishing campaigns. We also discuss some future research directions and guidelines to protect the abuse of generative AI-based services and safeguard users from smishing attacks.