Cyber security is a concern for businesses and private individuals alike, and phishing, in all the many forms it may adopt, is on the rise in the UK. The Independent reports that up to 4.7 phishing attacks occurred in 2022 alone. It doesn’t only affect private citizens – it can harm your business too. This article examines smishing and how it might affect businesses. To make sure we’re all on the same page, we’ll begin with a definition of smishing.
Smishing is a form of phishing that targets people through their mobile text messages (SMSes). The attacker will send a legitimate-seeming message calling for an action. Completing it will compromise the victim’s information.
How Smishing Works
Smishing attackers send out text messages targeting one person, or more frequently, many people. The message may require the victim to call a number manned by scammers, provide private information, or make a payment. More frequently, however, the message includes a link to a website.
If a victim clicks the link, they’re led to a site that downloads malware onto their phones, requests their personal information or important login details, or both. Less frequently, a smishing attack can lead to direct requests for a payment that goes into the scammer’s bank account instead of that of the company the victim thought they were paying.
All cyberattackers need to execute a successful smishing attack is a mobile number and, if installing malware is their goal, as little by way of action as a single, unguarded click. If a keystroke logger is installed, everything that is done using a smartphone becomes an open book to fraudsters.
What prompts people to click a link? There are many approaches. What they have in common is a sense of urgency. An account has been suspended, there’s suspicious activity on their banking profile, a payment is due, a prize must be claimed, or rewards will be granted if a survey is completed. In very targeted attacks on businesses, an employee could receive a smishing message that appears to be from a supplier, a customer, a colleague, or even the CEO.
A common, and by now, well-known smishing example occurs when a text message invites randomly targeted people to complete a survey from a major brand in exchange for a reward. In the process, they not only divulge their own details (while malware is likely being downloaded on their device) but are required to share the page with friends to qualify for the promised reward. In this way, smishing can spread quickly, and people are all the more convinced the scam is above-board because they’re invited by friends.
How to Identify Smishing Attacks
Although scammers see mobile phone users as easy targets, it’s relatively easy to identify attempted smishing attacks and avoid them. Here’s what should make you suspicious:
- You receive an SMS
- The SMS contains a link
- If it doesn’t contain a link, it requires you to make a payment, call a number or divulge sensitive information
This should be enough to alert you to the possibility that you are being targeted. However, there are additional characteristics of smishing that you can take into account.
- You’re required to perform an “urgent” action
- The call to action promises you benefits or includes a threat, e.g. you will be locked out of your bank account
- It’s always wise to remember that if you receive an offer that seems too good to be true, it’s probably a scam
Previously, people were advised to look out for errors in scammers’ messages, but you can’t rely on poor grammar and spelling to spot scams nowadays. AI helps scammers to appear legitimate across a variety of scams including smishing.
What to Do if You Receive a Suspicious Text
Never click a link in a text message. In the past, recognising the sender may have been enough to put your mind at rest, but these days, scammers can even hack phone systems and pose as legitimate senders.
If you’re concerned about the content of the message, verify it by contacting the relevant company – using a different number than the one from which the SMS came. Do not reply to a suspicious text, even if it has an “SMS STOP to opt out” option.
Why Businesses Need to Consider Smishing in Cyber Security Strategies
Smishing attacks are socially engineered scams that can be broad or very targeted indeed. Mobile phones are far more vulnerable to attack than your secured workplace PCs – and all your employees probably use mobile phones, quite often, in the course of their work. In fact, you’re probably providing tools they can use to make their work easier on the go.
Consider the harm that can be done if a key employee has malware on their phone. They may inadvertently divulge login data that gives cyber attackers access to your business’s confidential data. Bad actors can use the information they steal for direct sale on the dark web, for identity theft, or to devise even more precisely engineered attacks on your business and its clients.
How might a fraudster gain access to mobile numbers in the first place? We need employees to be contactable, and some of them may even have mobile phone numbers displayed on marketing materials. But even if they aren’t, your business may still be directly targeted.
Social media platforms are a notorious source of information for cyberattackers. It’s not even necessary to hack profiles, although this is occurring with disturbing frequency these days. Fraudsters can begin with information as scanty as a name and a place of work. Once they have that, all they need is a mobile number to initiate a precisely targeted smishing attack. In addition, scammers may buy information harvested in other smishing attacks. Alternatively, the attackers may have launched a broader smishing attack, gained access to an employee’s details, and use that information to attack your business.
How Businesses Can Protect Themselves From the Consequences of Smishing Attacks
Educate Yourself and Your Employees
The best way to avoid falling victim to the consequences of a smishing attack is to ensure that all your employees are aware of smishing as a threat. The guidance is simple: “Never click a link that’s sent to you via SMS no matter how legitimate it seems and don’t provide sensitive information over the phone.” And, if they may already have clicked a smishing link or have been caught out by telephonic requests for private info, it will be important to change all passwords and scan the device for malware.
Protect Your Business’s Data and Build in Safeguards For Sensitive Actions
Holding a login doesn’t necessarily allow cyber attackers to proceed if the right safeguards are built into your systems. For example, robust authentication processes like multi-factor authentication, which can even extend to biometric authentication, help you to verify users’ identities. The adoption of multi-factor authentication by employees should be easy as most people are accustomed to using multi-factor authentication to access their bank accounts or do online transactions. Multi-factor authentication can be put in place to verify people accessing their work emails and files through their phones or when transferring files between their phone and their work laptops.
Fraud detection systems can monitor digital activities, identify suspicious actions and help you block activity that may be the work of fraudsters. Since these can occur at any time of the day or night, automated systems will help to elevate vigilance.
Communicate Securely
Using secure messaging apps and ensuring that emails are encrypted helps to keep your business safe from fraud. Ensure that your employees understand the importance of your communication policies and ask them to report any suspicious SMS messages or emails they may receive. Ensure that all devices that are used for business purposes are protected by anti-virus and anti-malware software.
If a scammer poses as your business, your customers can become victims. Inform them that you don’t use SMS for sensitive communications. If their relationship with your business is known, or you have a popular brand that many people support, scammers can pose as your business when they launch a smishing attack.
Cyber Security is Never “Set and Forget”
Cybercriminals are always on the lookout for new ways to target and attack businesses and the general public. Once one form of attack becomes well-known and ceases to be as fruitful as it was in the past, they’ll move on to the next method. And, just as we use new technologies to work smarter, so do hackers.
Just as you buy Software as a Service, a recent widespread smishing attack targeting iPhone users in the US and UK showed that there are even people who sell smishing packages to aspiring scammers. Thought your business was too small to be targeted? Think again! If you have data (and who doesn’t?) and present an easy target, you are almost sure to be targeted sooner or later.
At Advantex, we constantly work to stay several steps ahead of the latest cyber security threats, implementing the newest technologies to safeguard our customers. We search for vulnerabilities in your systems and counteract them while keeping you and your staff educated and informed on the best ways to stay safe online.
Let’s work together to keep your business safe and your systems secure. Find out more about our cyber security solutions today.
Read about other types of Phishing: Spear Phishing, Clone Phishing, Whale Phishing, Vishing, Smishing.