SMiShing is a form of phishing attack where hackers target personal data and credentials through the messaging interface on a mobile phone. Similar in intention to traditional phishing scams, it’s well-worth taking a crash course in what SMiShing is, and how it could impact your customers. Lucky for you – we’re offering free crash courses right here, right now!
So, what is SMiShing and why does it work?
Phishing and SMiShing have more in common than just the fact that they are both funny words. They are both kinds of social engineering attack, where bad actors attempt to trick users into offering up their data on a silver platter. They work because they use common platforms where users feel comfortable, and often rely on coincidental context. For example, if an email tells you that your flight is delayed, and you should click and reconfirm your details – this will have a much higher success rate if the victim happens to be taking a flight in the near future.
While email phishing is still a top threat for your customers, attackers recognize that clicking on unsafe email links has become red flag numero uno in most employee’s lesson plans. Unfortunately, many people don’t consider clicking on a link from a text message to be unsafe. In fact, the stats from Gartner show that text messages are much more likely to be opened and replied to than email. An SMS message on average has a 98% open rate, and a 45% reply rate. If we compare this to email, the open rate is just 20%, and the reply rate is as low as 6%! It’s easy to see why the attackers are increasingly leaning on mobile-based attacks.
How does SMiShing work?
When users receive a SMiShing text, this may ask them to complete a number of different tasks, depending on the intention of the hacker. They might be directed to click on a malicious link, make a phone call or send an email. In the final two examples, the attack will continue on the new channel. If a link is used, this could lead them to a false site where they are prompted to enter sensitive data, or the act of clicking on the link could be enough to download mobile malware, keylogging software, or spam.
Are SMiShing attacks a large concern?
In many ways, SMiShing is even more dangerous than email phishing, because a lot of the best practices we teach around being careful of unsafe links are tough to complete on a mobile phone. For example, with email phishing one of the best practices is to check the URL, but on mobile phones the browser often truncates or hides part of the URL, making it difficult to view it in full.
In addition, while mobile phones are usually private devices, today’s remote working reality means that users are regularly using their phones to check in on work matters, especially by using cloud collaboration tools which can be accessed from any device. If attackers can use a SMiShing attack to inject malware or keylogging software onto a user’s device, they can then access sensitive work-related information and credentials, allowing them to potentially establish access to the network as a whole.
The more that individuals get used to completing tasks like making purchases, paying bills, or even communicating with legitimate vendors via their mobile phone – the greater the risk of SMiShing will be.
What can I do about SMiShing?
Looking for some best practices to give your clients and their own end-customers to lessen the risk of phishing, SMiShing, and even Vishing (voice phishing) scams?
Here are some top tips:
Beware of scare tactics:
Most of these kinds of social engineering attacks use fear to try to get the recipient to respond irrationally. If you’ve ever seen a text message scam which says something like “Act now before your account is closed” or “we’ve been trying to contact you, this is your final warning before you are charged”, you’ll know what we mean! If a message strikes fear into you on reading – stop, and consider the source more carefully.
Research mobile device management:
Mobile device management allows MSPs and other IT service technicians to get more visibility over the activity that’s happening on mobile phones and tablets. Smart solutions can include application and browser security, and flag alerts when a link or a message appears suspicious. This can act as an extra line of defense, and can provide valuable peace of mind to a business.
Contact businesses directly:
If you think a message is legitimately coming from one of your vendors, whether that’s your bank, phone company, or any other – go to the source. Use the listed number of the business to get in touch and verify the communication, or enter the name of the company into Google and go to their website yourself to open a ticket or a request. If the communication is legitimate, they will have all the details on a centralized system. Better to be safe than sorry.
Delete before clicking:
There’s no such thing as “just checking” to see if a link or a message is safe. If you can see that something is unusual about any correspondence, whether that’s email, text message, voice call, or smoke signal… end the chat. Put down the phone, delete the SMS, click block and report on the email, and extinguish the campfire. Curiosity didn’t work out so well for that cat, and it turns out it’s not great for business security either.
Want to understand more about the psychology behind different kinds of social engineering attacks? Learn about the most common themes, and why they work – right here.