Home
Blog
Phishing and Smishing: How they work and what to do about them (Part 2 of 2)

Phishing and Smishing: How they work and what to do about them (Part 2 of 2)

Paul Ducklin
Paul Ducklin
04/28/2025
Share this article:

Phishing in its many forms

In 🔗Part 1, we reviewed the various tools, tricks and techniques used in phishing scams to trick you into giving away personal data that you later regret not keeping to yourself.

Although most phishes arrive by email and conclude by luring you to a realistic-looking clone of a website you would usually trust, such as your bank or a courier delivery service, we also covered numerous other ways that phishing scams can start and finish.

Instead of tempting you with web links, some scammers may urge you to call a phone number instead, or to reply to an email or instant message for information on what to do next.

As an example, we referred you to a recent article entitled IC3 scam-reporting service abused by scammers in which we wrote about cybercriminals who ripped off the brand of the IC3 itself – the FBI’s own Internet Complaint Center website.

These scammers played a much longer, human-on-human game than the commonplace “send email/await click” approach of many phishing attacks.

They used fake accounts to join online forums for scam victims, spending time to build up a measure of trust within those groups.

They would pretend to be fraud victims themselves, all the while talking up the great work of the legitimate IC3 website, before providing details of “helpful IC3 contacts” who could be reached by free messaging services such as Telegram.

Of course, those “helpful contacts” were just other members of the scamming team.

This led the victims to feel that they were not being targeted by scammers, because they unwittingly reached out to the scammers of their own accord, rather than directly receiving unsolicited contact from someone they didn’t know.

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

Smishing in real life

In this article, we’re going to look at a variant form of phishing known by the jocular (yet also serious) name of smishing.

We’ll be diving right into the technical details of a smishing scam we received ourselves, on our personal mobile phone.

The letters SMiSh at the start of the name are there to remind us that the initial contact in these scams is made not by email, or by online forum, or by voice call, but with a simple, humble mobile phone text message, commonly known as an SMS, the abbreviation for the jargon term short message service.

As we pointed out in Part 1, the simplicity of smishing attacks can make them surprisingly effective, even among mobile users who consider SMS so old-fashioned and limited that they never use it to send messages themselves:

Firstly, all mobile phone numbers can receive SMSes, whether the user has the latest messaging or social media apps installed or not.

Secondly, the routine use of SMSes for legitimate notifications [by businesses such as courier companies, tradespeople and doctors’ surgeries] has led us to accept them as expected, and even as useful, in our everyday lives.

Additionally, and we’ll see this in the scam we’re diving into, phone-based scams that ask you to reply by text, to call back to a phone number, or to click a web link, are terribly easy to fall for, precisely because you’re already holding and using your phone.

Hours are enough

This scam is also a great reminder of how little time today’s cybercriminals need, because just a few hours are more than enough for a phishing campaign to pay off.

Even if the various online resources set up by the scammers get blocklisted or taken down within their first day of operation, the scam may still have drawn in hundreds or thousands of victims whose online accounts, identities, or payment card details may have been stolen.

As you see below, the malicious domain name used in this smishing campaign was registered through a domain registrar in Hong Kong at 2025-04-25T11:11:16Z, which is 12.11pm in the UK:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

But just two-and-a-half hours later, at 2.46pm UK time, we received a fraudulent message claiming to be from Evri, a major British courier company, and linking to the newly-registered fake domain.

This message wasn’t actually an SMS, but came through Apple’s iMessage service, though iPhones use the same Messaging app to show you both sorts of message:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

E.V.R.I Delivery Notification:

Due to incomplete address information, we are having problems delivering your parcel. Please click the following link to update your address within 6-12 hours of receiving the message so that the courier can deliver to you as soon as possible:

[․․․]evri.com-jtrse.top[․․․]

(Please reply with a Y, then exit the text message and open it again to activate the link, or copy the link into your Safari browser and open it)

We will expedite the shipment upon confirmation. Thank you for choosing E.V.R.I!

Intriguingly, the message is grammatically correct with no spelling mistakes, as though it may have been generated by a machine learning algorithm.

But it does read rather strangely, with some punctuation oddities, at least to a speaker of British or Commonwealth English, and it lacks the crisp brevity of a typical text message notification.

Nevertheless, it contains two nasty tricks.

The first trick is to ask recipients to reply to the message with an innocent-sounding Y for “Yes,” which seems harmless enough if you have already decided to respond to the message by clicking through.

We’re guessing that this request was put there because the malicious JavaScript code embedded in the website includes options that ask for MFA codes and bank card PINs, not merely for payment card details.

(This code path was not taken when we triggered the scam, presumably because we entered a made-up credit card number, so we were asked for an expiry date and a security code instead.)

If the scammers receive an early warning in the form of a direct message from a prospective victim, any crooks on duty at cybercrime HQ are alerted that an MFA code with a limited lifetime might be showing up soon.

The second trick is that the domain name com-jtrse.top, when prefixed with the server name evri, produces a URL in your address bar that starts with the reassuring text string https://evri.com․․․, which is a visual match for Evri’s own site, assuming that you visit the site with your mobile browser, which has less room to display full URLs than your laptop.

Indeed, if you decide to be cautious and retype the link on your laptop so you can use a large-screen browser instead, the site detects that you aren’t using a mobile device, and quietly if mysteriously redirects you to Google, leaving you with nothing suspicious to see or to report.

Here, we used the Tor browser, which was routing our traffic via Sweden at the time, which accounts for the Swedish version of Google’s search page appearing:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

The browser’s debugger log above shows that the bogus web page used an HTTP POST request to send browser-specific identification data to a special URL on the criminals’ server called /open/visitors/info/createOrGetUserInfo.

This returns the special HTTP response code 302 to tell your browser to redirect elsewhere, and the JSON response data {"redirectURL": "https://www.google.com"} tells the browser where to go instead.

In case you’re wondering, the messages prefixed 请求错误 (request error) and 应用初始化失败 (application initialization failed) appear to be debugging messages left in the website’s JavaScript code and faithfully printed into Firefox’s usually-hidden console log.

But if the web page detects that you are using a mobile browser, the scam proper appears:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

Note above how the criminals have remembered to spell the word centre correctly for British users, but have forgotten to use the British date format of DD/MM/YYYY, putting the month first instead.

Although scammers don’t always make give-away blunders of this sort, take care to look out for them yourself.

It’s bad enough to be scammed at all, but it’s even more distressing to be scammed and then realize that the warning signs were there all along, and that just a few seconds of extra attention could have kept you safe

Next, you’re asked to fill in your personal data, notably including your delivery address, given that an incomplete address was the reason presented by the criminals to lure you into the scam at the start:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

Then comes a pay page asking for a modest payment of just 41 pence (£0.41, about 55 US cents), which may sound like an unimportant amount to risk in a possibly fraudulent transaction.

Of course, the criminals aren’t after 41p.

They’re after your card or bank account details to abuse or to sell on for more serious fraud later on:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

To create a believable end-game for the fake payment process, and presumably in the hope of luring you into handing over a second lot of card data as well, the criminals use a common ruse of simply stating that the payment failed:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

After a second failed “transaction,” or after a short while on the page shown above, the site quietly redirects you to Evri’s real web page after erasing your browser history, thus neutralizing the [Back] button.

As a result, even if you later become suspicious, you can’t retrace your steps to see where you were, or to take screenshots to report the site as fraudulent:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

Stealing item-by-item

These scammers use interactive browser programming tricks to upload the data you enter into each field as you go along, rather than merely when you click the explicit [Continue] or [Submit] buttons on each of their fake pages.

This means that even if you realize you’re being scammed half-way through and bail out, they’ll still have a partial capture of your data, for example by getting hold of your card number and expiry date but not your secret CVV code.

Clearly, it’s better to bail out from a scam site even if you have already given away some secrets than to plough on and reveal everything, but this is a good reminder of why not getting lured in at all is the best defense.

The crooks in this case are using the open-source website development tool Vue.js, which means their scam is essentially implemented as a JavaScript “software machine” that generates the content and manages the interactions in the background.

If you are interested in a plain-English explainer that shows just how easy it is to implement a website that keeps track of your browsing in real time, down to every individual keystrokes (even [Backspace] in case you edit some of the characters in the password you’re entering), you should definitely read our article Phishing protection: Is it ever safe just to take a look?

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

One visit is your limit

Additionally, once you’ve completed one cycle through those fraudulent pages, and handed over at least one batch of payment card data, the server records your internet address so that can detect if you visit the site again, even if you clear any identifying cookies from your browser.

If you return later on, for example to take a second look at the site with a view to reporting it, the abovementioned URL /open/visitors/info/createOrGetUserInfo will detect that you’ve already been hit up once, and will return a 404 Not Found error to throw you off the scent:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

Presumably, this is the criminals’ attempt to invite you to believe that the site has already been taken down, or has stopped operating, thus leaving you feeling that there’s no need to report it as fraudulent.

Of course, even if you do now report it via one of the numerous online fraud reporting services, there’s no longer much in the way of immediate evidence that you can copy and paste into report, such as screenshots or smoking-gun text from the offending pages.

By the way, we reported this smishing site via the Firefox browser’s abuse reporting service directly from the Help > Report deceptive site item in the browser menu.

Firefox, and presumably other browsers, started blocking it with a warning page within about 24 hours:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber

You can also use Google’s Report Phishing Page (the data goes into the same feed as the Firefox reports) at https://safebrowsing.google.com/safebrowsing/report_phish/.

In Microsoft Edge, use Help and feedback > Report unsafe site from the Edge menu.

What to do?

  • If in doubt, don’t give it out. Whether it’s a voice call, an instant message or a friendly post in an online forum, don’t let yourself be talked into handing over personal data just because someone is flattering, cajoling, threatening, or pressurizing you.
  • Go beyond the advice that “if it looks phishy, it probably is.” A simpler and stronger rule is that if it LOOKS phishy, it IS phishy. Criminals love using short and simple messages such as saying that you missed a home delivery. That’s because many of us use services of this sort regularly enough that coincidence alone is enough to make us drop our guard.
  • Build a strong, human-centric security culture. This means cybercriminality of any sort is more likely to be spotted and reported. Signing up with SolCyber will actively help you to do this.
  • Avoid using contact details provided by the sender of a message. Get together a reliable list of important web addresses and phone numbers, such as from printed account statements, original contract documents, or the back of your credit card.
  • Stop, think, and check carefully whenever you are asked for an MFA code. Better to have a failed legitimate login attempt than to let a valid one-time code leak to someone else. Never send or tell an MFA code to anyone else, no matter how convincing they sound.
  • Add an extra layer of security to your mobile devices, which are typically protected only by basic MDM (mobile device management) tools. Signing up for SolCyber Mobile Protection brings your mobile threat response to a new level, including blocking phishing attempts and messaging scams that specifically target phone users.
  • Prevention is better than cure. Sign up with SolCyber for proactive threat detection and prevention so you don’t have to try to build a 24/7 SOC of your own.

For more information about the numerous other forms that phishing scams take, head back to 🔗Part 1 for some excellent advice on how to spot them and avoid them!


Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:

Phishing and Smishing: How they work and what to do about them (Part 2 of 2) - SolCyber


More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!


Featured image of crocodile by Shelly Collins via Unsplash.

Paul Ducklin
Paul Ducklin
04/28/2025
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2025
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

11539