Skip to main content
SMiShing

SMiShing Testing and Policy: Update it Today!

By February 22, 2023No Comments

For years, we have known about phishing as an effective vector into corporate networks. Malicious actors use phishing to obtain credentials and other sensitive data, install malware and a lot more. Recently, the SMiShing vector has taken center stage mainly due to the Twilio breach. This breach has undoubtedly caused CSOs and other information security staff sleepless nights. While phishing testing and training may have become mainstream, SMiShing testing is lacking. In part, it is lacking for legal reasons.

SMiShing Testing and Policy

Image: Incident Report: Employee and Customer Account Compromise – August 4, 2022 (twilio.com)

It is relatively easy for a company to dedicate resources to new phishing or vishing testing. One call to Social-Engineer, and this testing can happen in no time. However, if a company wants to begin SMiShing testing, there may be an immediate roadblock. The difference is the assets that are used in testing. When performing phishing training, tests are done by sending phishing messages to the employee’s company email account. The company owns the account and servers. The situation is similar for vishing testing. The company owns the phone number that is called. As the owner of the email account, server and phone number, the company can consent to the testing, and the employee does not need to be made aware.

Update Your BYOD Policy

If a company wants to begin SMiShing testing, the testing might not be so straightforward. Few companies provide mobile devices to their employees. Employees often bring their own devices (BYOD) to use at work. The problem is that the owner of the device, the employee, has usually not consented to it being used for testing. Also, if the reporting process is not known to employees or does not exist yet in your company that could make the testing less valuable.

Our recommendations on how to handle this are for companies to update their BYOD policy immediately and establish a reporting process for employees to submit suspected SMiSh for review by their security team. The policy must have the employees’ consent to security testing and training on their devices, especially when they are using their own devices to log in to corporate resources. Once this policy is updated, a reporting process should be established that makes it easy for employees to capture the needed details and alert security staff to a possible active attack.

Once you are ready to begin SMiShing testing, you can partner with Social-Engineer as part of the Managed SMiShing Service. With this service, employees will learn what a SMiShing message looks like and how to report it safely. At Social-Engineer, our difference is that we focus less on click rates and more on reporting rates. Reporting is crucial to protecting the company’s sensitive information and employees.

So, update the BYOD policy and set up a reporting process. Let your employees know of the changes and get started with SMiShing testing today!

Written by: Patrick Laverty

For a detailed list of our services and how we can help you achieve your cybersecurity goals please visit:

https://www.social-engineer.com/offensive-security/.

 

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now