Smishing: What it is and How to Guard Against it
While threats from cybercriminals are nothing new, given the rapid increase in mobility and remote work trends – which have skyrocketed since the start of 2020 – organizations around the globe are at an increased risk. There is a new type of threat at the forefront of cyberwarfare, and that threat is called smishing.
What is Smishing?
Business organizations around the globe are all too familiar with phishing, a tactic that scammers use to extract sensitive information, such as passwords, credit card numbers, and even social insurance numbers, from unsuspecting individuals. In fact, in 2019, it was estimated that more than 90 percent of global institutions were targeted by phishing schemes, and some of the world’s leading organizations, such as JP Morgan Chase, Sony Pictures, and even the United States Power Grid have been victimized by cybercriminals over the years.
With phishing, scammers send emails that appear to be legitimate to their victims with the intention of luring them into clicking on links that have been embedded into the messages and providing their sensitive details, such as user names, passwords, and other personal information. Once the information is compromised, the scammers can use it for nefarious purposes. With smishing, the premise is similar. Instead of emails, mobile phone text messages that appear to have originated from reputable sources are distributed, asking recipients to click on links or reply with sensitive data. The term “smishing” stands for “short message service phishing” or “SMS phishing”.
How Does Smishing Work?
The basics of a smishing attack aren’t very complex; in fact, it’s quite simple and straightforward. Cybercriminals have a specific target in mind (though in some cases, there aren’t any targets at all) and a few basic technologies at their disposal. There are more targeted attacks, too, which utilize tactics that are linked to social engineering.
An overview of a smishing attack is as follows:
- A cybercriminal uses a fake phone number to send out an SMS text message. Both the phone number that message originated from and the message itself appear to be genuine. In more detailed attacks, the cybercriminal may even try to make the text more detailed; for example, they may pretend to be associated with a well-known company; a bank or a retailer, for example.
- The text message provokes a response, for instance, it may feature an offer, such as a discounted rate for a service, or something that could be troublesome, such as the password for your bank account, in order to entice the recipient to click on the link that’s embedded in the message.
- If the recipient clicks on the link embedded in the fabricated text message, they will be directed to a website that seems to be legitimate, but in reality, is not. Upon arriving at the illegitimate website, the victim of the smishing attack will be prompted to input sensitive information, or they may be encouraged to download something (a browser update, for example) before they will be able to proceed.
Those who are successfully victimized by smishing schemes can end up sharing sensitive information that they would not otherwise share, such as their credit card number, email log-in details, or social security number. They could also unknowingly download an update or something else that contains malware, thus giving the cybercriminal access to their device. The cybercriminal and those they are associated with can then use the compromised device to spy on the unsuspecting victim, steal sensitive information, or gain access to their accounts.
Examples of Smishing: What to Look For
Some of the most common examples of smishing include notifications from financial institutions, shipping updates, coupon and discount codes, and urgent warnings. If anyone associated with an organization receives text messages from phone numbers that they are not familiar with, containing the aforementioned information – particularly financial information – institutions and those who are associated with them should be suspicious. Some of the top things to lookout for in a text message that could indicate smishing include:
- An Amazon delivery alert from a different phone number than Amazon normally texts from.
- A delivery alert for packages when packages have not been ordered.
- Messages that include an urgent warning. For example, “Personal information has been compromised. Act now to change passwords”, etc.
- Notifications that promise discount or coupon codes for downloading something or submitting information.
- Messages that request downloading something.
How to Avoid Smishing Scams
There are a number of strategies business organizations can implement to protect themselves from smishing scams and the dangers that they pose. Here are some examples:
- Compulsory IT Security Training. Cybercriminals are well aware that a company’s weakest links are their networks and the associates who use them. Requiring mandatory IT security training that focuses on teaching staff members, clients, and anyone else who may be associated with an organization, the dangers of smishing attacks and how to notice and avoid them is one of the most effective ways to prevent these types of cyberattacks. For example, teaching them not to respond to or click on links that contain messages from phone numbers that they are not familiar with.
- Multi-factor authentication (MFA). This authentication process involves requiring at least one (but preferably more) verification methods – codes, phone calls, or biometrics, for example – before being granted access to an organization’s system.
- Instituting multi-step backup and disaster recovery plans. With the ever-increasing threats of cyberattacks, employing a backup and disaster recovery strategy is an absolute must. However, it is not good enough to have a single strategy in place, but rather a multi-step plan should be instituted. That plan should include creating three copies of every file, including the original file, an onsite backup, and an offsite backup.
Prevention is Better than Cure
Smishing attacks are a real threat for business organizations, and they can have serious consequences. In order to safeguard a company from these cyber-threats, it’s vital that organizations put the safety measures suggested above in place, sooner rather than later.
Outsource IT can help in this regard. Whether it be phishing, smishing or any type of cyber threat, relying on our years of experience defending our clients against cyberattacks, we can formulate a strategy to help keep your business organization secure. Contact an Outsource IT account manager to learn more.