Most businesses and individuals are familiar with phishing, a cyber-attack technique that involves cybercriminals exploiting fraudulent emails to manipulate recipients to share sensitive information, click on malicious links or open malicious attachments. Although these email-based scams are still an acute problem, a new form of phishing – known as smishing or SMS phishing – has emerged over the years, creating additional cyber exposures for both businesses and individuals.
Smishing or SMS phishing is based on the same tactics as phishing. The only difference between these two cyber-attack techniques is that smishing targets victims via text messages rather than emails. As a growing number of individuals use their smartphones for both personal and work-related purposes (eg interacting with colleagues and customers on mobile applications), smishing has become an increasing threat. In fact, recent research has found that nearly three-quarters (74%) of organizations experienced smishing incidents in the past year, while only 23% of the workforce recognize this term.
With these numbers in mind, it is obvious that companies need to address smishing exposures within their business. The following article provides an overview of smishing or SMS phishing and offers best practices for companies to protect themselves against this emerging cyberattack technology.
What is Smishing or SMS Phishing?
Smishing follows the same format as phishing and uses misleading messages to manipulate recipients. These messages are usually sent via text, but can also be delivered via mobile instant messaging applications (eg WhatsApp). In these messages, cybercriminals can implement a wide range of strategies to get their targets to share information or infect their devices with malware. Specifically, they are likely to pretend to be a trusted or reputable source and urge the recipient to respond with confidential information, download a malicious application, or click on a malicious link. Here are some examples of common smishing messages:
- A message claiming to be from a financial institution stating that the recipient’s bank account is locked or experiencing suspicious activity and asking them to click on a malicious link to fix the problem
- A message claiming to be a well-known reseller (such as Amazon, Target, or Walmart), which encourages the recipient to download a malicious software application to obtain a gift card or similar price
- A message claiming to be from a lawyer or law enforcement agency, stating that the recipient is facing legal problems or criminal charges and urging them to call an unknown number for more information
- A message pretending to be the government, asking the recipient to click on a suspicious link for information about their taxes or participation in a federal loan program
- A message claiming to be a research organization, requesting that the recipient download a malicious program to complete an informative survey
- A message pretending to be a delivery service, informing the recipient that they are receiving a package and providing them with a fraudulent link to track the item
Example of a smishing text message regarding an Amazon delivery.
If a recipient is tricked into doing what a smishing message asks for, they may end up unknowingly downloading malicious software or revealing sensitive information, such as login information, debit and credit card numbers, or social security numbers. From there, cybercriminals can use the information they have obtained from smishing for several reasons, such as hacking accounts, opening new accounts, stealing money or retrieving additional data. Because individuals can use their smartphones for work-related tasks, smishing has the potential to affect companies as well. For example, a person who falls for a yummy scam may inadvertently give a cybercriminal access to his information in the workplace, allowing the criminal to collect confidential information from the victim’s employer and even steal business funds.
The nature of smishing has made this cyberattack technology a significant threat. This is because individuals are usually less careful when communicating on their smartphones compared to their computers, and often engage in multiple text conversations at the same time (sometimes when they are distracted or in a hurry). After all, research from Experian found that individuals between the ages of 18-24 exchange about 4,000 texts each month. Given these findings, individuals may be less careful or attentive to a text message from an unknown number than an email message, making them more likely to interact with a malicious text.
In addition, many individuals mistakenly assume that their smartphones have more advanced security features than computers, which protects them from malicious messages. But smartphone security has its limits. At present, these devices cannot directly protect individuals from smishing attempts, making all smartphone users vulnerable. This is why it is important for companies to take action to protect themselves from smishing.
How to protect yourself from smishing or sms phishing
To effectively minimize exposure to smishing and prevent related cyberattacks, companies should:
- Carry out training of employees—First of all, companies should educate employees about what smishing is and how it can affect them. In addition, employees should be required to participate in routine training regarding the detection and prevention of smishing. This training should instruct employees to:
- Look for signs of smishing in their text messages (eg lack of customization, generic phrases and urgent requests)
- Refrain from interacting with or replying to messages from unknown numbers or suspicious senders
- Avoid clicking on links or downloading programs contained in messages
- Never share sensitive information via text
- Use reliable contact methods (eg call a company’s official phone number) to verify the validity of all requests sent via text
- Report any suspicious messages to appropriate parties, such as a supervisor or IT department
- Ensure adequate bring-your-own-device (BYOD) procedures.—In addition to providing smishing training, companies should establish solid BYOD procedures to ensure that employees act accordingly when using their personal smartphones for work-related purposes. Such procedures may include using a private Wi-Fi network, implementing multi-factor authentication features, performing routine device updates, and logging out of work accounts after each use. These approaches can help deter attempts at soiling and reduce the damage that can occur as a result of incidents.
- Implement access controls—Another method of limiting exposure to smishing is the use of access controls. By only allowing employees access to the information they need to perform their tasks, companies can reduce the risk of cybercriminals jeopardizing redundant data or securing unwanted funds in the midst of smishing incidents. To further protect their information, companies should consider using encryption services and establishing secure sites for backing up critical data.
- Use appropriate security software—Companies should also ensure that company-owned smartphones are equipped with adequate security software. In some cases, this software can stop cybercriminals in their tracks, stop smishing messages from reaching recipients’ devices, and render malicious links or malicious applications ineffective. In particular, smartphones should have antivirus software, spam detection systems and message blocking tools. The security software should be updated as needed to ensure efficiency.
- Buy adequate coverage– Finally, it is important for companies to secure proper cyber insurance to protect against potential losses due to breakdown incidents. Companies should contact their trusted insurance professionals to discuss specific coverage needs.
We can help.
In conclusion, smishing is a serious cyber threat that both individuals and companies can not afford to ignore. By being aware of smishing tactics and implementing solid mitigation measures, companies can successfully protect themselves against this growing cyberattack technology, deter cybercriminals and minimize losses associated with it.
If you want additional information and resources, we are here to help you analyze your needs and make the right coverage coverage to protect your business from unnecessary risks. You can download a free copy of our e-book, or if you are ready to make Cyber Liability Insurance part of your insurance portfolio, request a suggestion or download and get started with our Cyber & Data Breach Insurance Application and we will work for you.