SMiShing is defined as “the act of using mobile phone text messages (SMS) to lure victims into immediate action such as downloading mobile malware, visiting a malicious website or calling a fraudulent phone number.” Even if this is the first time you’ve heard the term SMiShing, you may have received a text similar to the one below:
Companies at Risk
While attacks like these can be detrimental to personal assets, the risk arguably increases when malicious actors target companies. However, you might wonder if companies are really at risk with SMiShing today. Maxie Reynolds, a Social Engineering Consultant at Social-Engineer LLC, says “SMiShing is a threat to businesses and corporations, not only because each time one is sent in their name their brand is diluted and trustworthiness is chipped away at from a consumer point of view, but also because this puts their customers and employees at risk. Businesses should be taught to think of SMiShing the same way they do phishing: a real threat with real consequences.”
SMiShing poses a significant threat to companies, especially when employees have access to corporate information and accounts on their personal phone. If an employee succumbs to a SMiShing attack on their personal device, the attacker could gain access to corporate data. The minimum affect this could have on a company would be data loss or disclosure. Worse case scenarios could include stolen credentials or phishing attacks from the user’s device. With such high risks related to SMiShing, let’s look at some steps both employers and employees can take to remain secure.
What Employers Can Do
As an employer, what can you do to ensure corporate security regarding SMiShing? First, strive to understand the impact this attack vector can potentially have on your company. For example, try to know what current SMiShing attacks are being leveraged. A quick Google search of “current smishing scams” will likely bring up an informative list of recently reported scams. However, don’t become overwhelmed at trying to memorize each one. Rather, take a few minutes to read the topics and look at some reported examples. Second, take special note of any attacks that are based around companies or software that your company works with and be sure to notify your employees of these.
Follow up these notifications with the proper training. Making this training mandatory for all employees will enhance a sense of unity throughout the company, because anyone can be susceptible to SMiShing attacks given the proper emotional stimulus.
Actionable training must include a reporting method. It is common for malicious parties to send the same attack to a large portion of the targeted company. This increases the risk to the company, as the likelihood that an employee clicks increases. However, the silver lining is that if just one employee reports this attack you have a much better chance at protecting the company from it. What this means, though, is you must have a system set up for employees to report suspected attacks. They need to be comfortable reporting the attack whether they have fallen victim to it or not.
What Employees Can Do
As an employee, work to be aware of SMiShes. While some are easier to identify than others, there are a few practices you can incorporate to help you guard against this potential attack vector.
To start, look at the number the SMS text was sent from. If you consistently get text message alerts from Walmart, for example, and suddenly the number has changed, and the conversation has moved to a new thread, this could be a sign of a potential SMiSh. It’s also important to keep in mind that malicious parties can spoof, or falsify, their caller ID display.
Avoid clicking links from unknown senders. If you trust the sender and click the link, do not enter any information into the portal or form it sends you to. Rather, navigate to the online portal for that sender or company and log in there. On the same note, do not download and install any software sent to you via text.
SMiShing – a Threat?
Is SMiShing a viable threat to individuals and companies? In a word, yes. However, with the proper protocols, training, and awareness, you can reduce the risk before it even begins.