2024 State of Vishing Report
In February 2024, 19.2 billion spam texts bombarded U.S citizens according to a recent report. As annoying as spam texts are, they are not always malicious. Some spam texts are from legitimate businesses, albeit unauthorized, looking for new ways to connect with their customers. However, lurking within those daily spam texts is a more sinister threat; SMiShing texts. SMiShing texts have the specific purpose of tricking recipients into revealing personal/financial information and/or downloading malware to their phone. Bad actors are taking full advantage of our reliance on text communication for business and personal use. Let’s look at a couple of recent smishing examples.
Researchers recently discovered a phishing kit using novel tactics targeting FCC employees and cryptocurrency platforms. Bad actors are using this kit to build carbon copies of single sign on (SSO) pages. These pages are being distributed via text message, email, and vishing (voice phishing), using the pretext of securing their account after an attack.
What is the novel tactic the attackers use? The victim is asked to complete a Captcha using Captcha. This tactic prevents automated analysis tools from crawling and identifying the phishing site. It’s also a clever social engineering tactic. How so? It may also give the victim a sense of trust, and lend credibility to the process, since typically only legitimate sites use Captcha. Once the captcha is completed, the login page mimics the FCC’s legitimate Okta page.
Listen to Chris Hadnagy, CEO at Social-Engineer, LLC discuss this scam during Podcast 252, Crypto, Phishing and SMiShing…Oh My!
In this attack, victims receive a text message from the United States Postal Service alerting them to an undeliverable package. The goal is to steal the victim’s payment card details and other personally identifiable information. This is the four-step flow after the victim clicks the link in the text message, according to the researchers who discovered the attack:
SNS Sender represents a narrower approach that relies on the actor having access to a properly configured AWS SNS tenant. However, as you can see, attackers are using social engineering tactics in this scam. They use messages that create a sense of urgency and fear in their victims, which prompt them to tap on the “Click Update” button, initiating the scam.
Are you concerned about the security of your company’s sensitive information? Imagine the consequences if your staff fell victim to a SMiShing scam, resulting in a data breach. The repercussions could be devastating. The solution? Protect your company from the dangers of SMiShing with our Managed SMiShing Service. This innovative and fully managed service not only tests and educates your employees on how to spot SMiShing texts, but also the more important act of reporting these attacks properly, helping to ensure the safety of your organization. Please contact us today for a consultation.
In the rapidly evolving digital landscape, no entity is immune to the pervasive threat of cyberattacks. The security breach at MGM Resorts highlights the vulnerability of even massive organizations. As
SMiShing Attacks in the News In February 2024, 19.2 billion spam texts bombarded U.S citizens according to a recent report. As annoying as spam texts are, they are not always
