Email phishing dominates headlines but it is not the only means cybercriminals use to hijack organization systems and steal business data. Smishing is another form of phishing attack which is targeted at mobile devices via the use of deceptive SMS messages.
Smishing attacks are not new but are less frequent compared to the more popular email phishing. However, smishing is no less harmful than other phishing attacks.
It involves sending fake text messages that contain malicious links to victims or directly soliciting personal information.
Increased usage of mobile devices in corporate environments makes smishing attacks more useful to cybercriminals.
Why Smishing is Becoming Popular
Smishing is becoming a favorite of cybercriminal groups because of its unique advantages.
SMS is an unauthenticated protocol which means anyone can assume the identity of anybody and easily gain credibility.
The small screen on mobile devices makes it challenging to vet and screen attached links.
According to MobileMarketer, the open rate for text messages of about 98% is much higher than email. Users respond quicker to text messages due to the long-developed habit of communicating and receiving important updates via SMS.
The use of shortened links is very common in text messages, even those sent by legitimate brands. Hackers take advantage of this by shortening malicious links and tricking users into visiting them.
How Smishing Works
SMS phishing works similarly to email phishing. An SMS is sent to entice a target to click a link, ask for specific information about victims’ private data or ask for funds. This may include requests for online account credentials, personal information that can be used for identity theft as well as valuable financial data. Links within phishing SMS may point to a credential-stealing website, malware to compromise victim phones and steal data.
Smishing attacks are commonly used with automated tools to assume reputable identities and send messages. Attackers also make use of VoIP online numbers that are untraceable to the sender.
Examples of Smishing Attacks
> Fake Technical Support Message
This one can be used to take over unsuspecting victims’ online accounts. For example, attackers can make calls or send text messages claiming to be from Gmail to notify a victim of an upcoming SMS for a fake account security verification.
Hackers then try to reset victims’ account login by using their attached recovery phone number. Finally, the recovery token code is obtained from the victim and used to reset the password and take over the target’s accounts.
> Fake IRS message
The attacker pretends to be an agent with the IRS and threatens a person or business with ruinous consequences if they fail to pay an alleged tax debt. Victims often part with money out of fear.
> Fake Customer Care Message
Here, impersonate customer care agents of well-known brands. They can use this pretext to fool victims into handing over their personal information or even transferring money to the attackers.
> Fake Invoice SMS
Cybercriminals pretend to be sending SMS from a reputable brand about an order that the victim recently placed. They use this to obtain money from victims in the guise of canceling the order. Hackers can also request victims’ private and financial information to hijack their accounts on the target system.
> Fake Covid-19 Contact Tracing Message
In this case, attackers may request that victims download a malicious app or visit a fake site for a Covid-19 contract tracing procedure due to their recent contact with a Coronavirus-positive person.
Protecting Your Business Against Smishing Attack
Smishing is not a new attack but its relative obscurity makes it more dangerous because it is often unexpected by victims.
In order to prevent smishing, smishing security awareness training should be a part of regular cybersecurity training. This will enable employees to understand various smishing techniques and how they pose a threat to business operations. Training will also help them identify common types of phishing SMS.
Smishing attempts should be promptly reported so a pattern of detection can be developed against them.
In addition, personal telephone numbers should not be publicly posted on online forums or blogs for whatever reason. Avoid replying to an SMS that you are not sure of its origin.
Since mobile platforms SMS have no sophisticated technology and traditional anti-malware software to stop smishing. Businesses must adopt special mobile security tools that can protect mobile devices against threats of smishing and similar attacks. In addition to conducting regular and sufficient security awareness training.
Don’t leave your business vulnerable to smishing attacks, get in touch with SDTEK to discuss your mobile security protection solutions.