Social engineering has evolved in recent years to become one of the most dangerous cyber threats facing companies today. A well-crafted impersonation of a trusted contact or authority figure can easily trick the target into giving away sensitive data, login credentials or wiring money into criminal bank accounts.
We have also seen criminals evolve their tactics over the last couple of years to create even more cunning approaches that exploit knowledge about their target’s personal lives. The blurred line between professional and personal security is readily apparent in the increasing popularity of SMiShing attacks.
This technique uses the same tricks commonly seen in normal phishing, but with SMS texting as the medium rather than email and is often used in conjunction with other attacks. With the number of incidents growing, organisations need to be aware of the risks of SMiShing and start taking action to protect their employees.
SMiShing on the rise
The rising number of high-profile SMiShing campaigns saw mobile provider Three UK publish a guide to help customers spot messages from fraudsters after the company identified a significant increase in sophisticated attacks.
A particularly prominent campaign emerged earlier this year in Australia, with scammers targeting young men in the guise of a single girl and directing them to a fake dating site designed to harvest their data.
We also saw a significant upsurge in SMiShing attacks in the UK after the data breach suffered by TSB bank in April. This attack was notable as the criminals started with a wave of phishing emails impersonating the bank, and then followed up with an SMS message to those that fell for the email and entered their details.
Combining two mediums in this way is an effective method for criminals to establish a sense of legitimacy with their victims and people will more readily assume it is genuine if they are contacted in different ways just as they expect from a real bank.
The most high-profile campaigns tend to be those targeting consumers for their private data, as these are more often reported to authorities and covered in the press. However, SMiShing is also a powerful technique for spear phishing an organization.
Impersonating a trusted authority figure over text can trick targets into sidestepping security concerns and giving up information. Attackers can even impersonate automated security functions like 2FA to harvest credentials from workers who believe they are being security conscious.
Can SMiShing be stopped?
Preventing SMiShing attacks is a difficult challenge from a technical standpoint. Malicious texts are much harder to automatically identify and block than phishing emails, and companies can do nothing about stopping attacks targeting a user’s company or personal mobile. Mobile Device Management solutions enforce company policy, but don’t block or prevent malicious SMS texts and phishing emails or prevent a user from accessing malicious websites.
However, organizations can make a difference by raising awareness with their customers and employees about the threat of SMiShing. Employees need to understand the methods that cyber-criminals employ to target people and benefit from experiencing what an attack looks like in a controlled way before an actual malicious event does occur.
Companies can publish guides like the one from Three UK to offer advice, and also contact customers to inform them more directly and provide options for reporting suspected scams.
However, organizations should seriously consider raising awareness with a simulated SMiShing campaign. Nobody likes knowing they’ve been caught out and being tricked, even in a harmless simulation. It is a very sensory experience that can drive the lesson home and the staff member can be provided with feedback offering an “instant awareness moment” to aid knowledge retention.
Unfortunately, the increased volume and sophistication of SMiShing attacks we’ve seen over the last year are likely to be the tip of the iceberg, and we can expect criminals to continue refining their techniques over the coming months to take advantage of unsuspecting victims.