BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

How To Protect Your Company From Smishing

Following
This article is more than 2 years old.

As if classic email-based phishing scams weren’t impactful enough, an escalating threat involves dodgy text messages sent to your smartphone. This social engineering spin-off is known as smishing, a portmanteau term combining “SMS” and “phishing.” It aims to dupe users into disclosing sensitive information or downloading mobile malware. These messages usually impersonate trusted companies or individuals and may include links that lead to credential phishing pages.

By the way, the concept of smishing has evolved over the years, and the channels for orchestrating these campaigns aren’t restricted to traditional SMS anymore. Fraudsters are increasingly disseminating rogue texts via popular mobile messaging apps, such as WhatsApp, Facebook Messenger, and WeChat. The use of these Internet-based platforms has “democratized” the dodgy process, allowing felons to extend their reach considerably.

Many companies are on the receiving end of smishing hoaxes in which impostors try to gain access to enterprise networks, steal proprietary data, or misguide employees into wiring funds to the wrong destination. Let’s analyze this cybercrime phenomenon in-depth and see how organizations can keep smishers at bay.

Types of text messages that should give you a heads up

To step up the effectiveness of their foul play, crooks have mastered quite a few smishing techniques over time. Each one pulls strings with recipients in its own way to make them slip up. The following themes currently dominate this threat landscape:

  • Fake alerts about dubious account activity

To harden the protection of enterprise assets against unauthorized use in a business world with a growing share of remote work, organizations are enforcing an extra verification step in scenarios where a corporate account is accessed from a nonstandard device or location. Malicious actors may piggyback on this caution by sending knock-off confirmation requests to employees.

In many cases, these messages are camouflaged as elements of a two-factor authentication (2FA) chain. Their goal is to convince the unsuspecting user to tap the embedded link, which leads to a credential phishing page or a malware payload.

  • Messages pretending to come from a bank

As per Moissaniteco, money-related problems are arguably among the most sensitive subjects for the average layman, and con artists know it. Unsurprisingly, smishing messages often impersonate one’s financial institution. They misinform the would-be victim about a suspicious transaction on their account, state that their credit card has been blocked due to a violation of the banking service terms, or include an overdraft alert. To sort out the alleged issue, the person is told to follow a link and go through identity checks.

  • “You won a prize!” Yeah, right

One more smishing trick in a swindler’s repertoire is to hoodwink someone into thinking they have been awarded something, be it a lottery, a gift card, or a new shiny smartphone. To learn more and claim the purported prize, the user is supposed to tap a link. The good news is, most of these hoaxes are easy to discern. However, the odds of getting on the hook are fairly high when criminals do some reconnaissance in advance and use real promos held by large stores in the victim’s area.

  • Surveys that aren’t what they seem to be

Some booby-trapped texts offer recipients to participate in a survey. Given most people’s reluctance to engage with time-consuming marketing studies like that, bad guys have to think outside the box to reach the minds of their targets. An example of common bait is a promise to provide a discount or prize after the questionnaire is completed.

  • Messages ostensibly sent by the government

To aid people during the pandemic, most governments around the globe have launched various Covid relief initiatives, including unemployment payouts and low-interest loan programs. Predictably, malefactors have been sending counterfeit notifications on behalf of local authorities regarding different kinds of benefits. Any message related to one of these social programs fits the present-day context and isn’t likely to be ignored.

How your company can avoid smishing attacks

As per security experts from NAKIVO, the key to forestalling such attacks is to make sure your teams can identify them. Regardless of the manipulative theme, most of these scams convey a sense of urgency, instructing users to take action within a specified deadline. This is fertile soil for hasty decisions that aren’t backed by sober reasoning.

Also, messages that appear out of the blue are a red flag. A trustworthy SMS from a service provider is typically received when you are trying to verify an account, or in response to an inquiry that you actually made. A link inside is a giveaway, too.

Operators of smishing campaigns are smart, but you can easily outsmart them. That being said, let’s go over the ways to curb this nefarious threat.

  • Enforce a BYOD policy. Organizations that allow staff to use their personal smartphones for work should have clear-cut Bring Your Own Device (BYOD) regulations that outline the ways of interacting with suspicious messages.
  • Apply access control. The principle of least privilege is one of the pillars of a well-thought-out corporate security posture. It means that employees only have access to company assets they need for their duties. This will minimize the attack surface if a user falls for a smishing trick and gives away their authentication details.
  • Boost your teams’ awareness. Security awareness training for personnel should harbor comprehensive recommendations on how to avoid social engineering, in general, and smishing, in particular. Consider also conducting periodic surveys to assess users’ vigilance in this area.
  • Treat urgent texts with caution. Limited time offers and other messages that tell you to do something immediately could be scams. A little bit of paranoia won’t go amiss in such cases.
  • Think twice before replying. A message that lures you to respond is potentially dubious, even if it looks like a prompt to unsubscribe from an unwanted service by sending “STOP” back. This can be an attempt to identify phone numbers in active use.
  • Refrain from tapping links in SMS. As a general rule, it’s a bad idea – even more so if the message is from an unfamiliar sender.
  • Don’t share personal information. If a random message asks you to provide sensitive data, especially financial details, don’t engage.
  • Report. Make sure employees inform your security team about smishing attempts for timely advice and further investigation. Reporting such incidents to the cell phone provider is also worthwhile, as it helps curb fraud campaigns.
  • Use message blocking tools. Another effective technique is to prevent shady texts from reaching you in the first place. Many mobile carriers provide services that filter out messages from suspicious senders.
  • Pull the plug on SMS sent from the Internet. To carry out smishing stratagems, most scammers use online text relay services rather than send messages from a burner phone. It’s an easier and more cost-efficient approach, plus it helps crooks hide their identities. Thankfully, most cell phone companies have a feature in place that blocks texts distributed through Internet-based channels.
  • Contact your bank or service provider directly. When in doubt whether a message actually comes from a trusted organization, don’t hesitate to contact them by dialing the helpline number specified on the official website.
  • Make the most of two-factor authentication. Even if a fraudster wheedles out your password, they can’t use it to sign in to your work account as long as 2FA is enabled. An additional secret key is required, and you are the only person who knows it.
  • Keep your devices up to date. Software updates bring important security fixes and improvements that raise the bar for crooks who may try to sucker-punch you. Protection features built into iOS, Android, and your web browser can flush out most smishing attacks.

How to keep your customer relations smishing-safe

To avoid reputational risks, organizations should ascertain that their marketing strategy involving SMS is consistent and trustworthy. This is also a prerequisite for these messages to reach the target customer audience without being filtered out.

The UK’s National Cyber Security Center (NCSC) has recently published tips covering business communications best practices for the enterprise sector. The guidance includes, among other things, techniques to maintain trust with customers and help them understand that a text message from a brand is legitimate. Here is a roundup of these recommendations:

  • Refrain from inserting web links in SMS. If you absolutely have to, don’t use URL shortening services.
  • Use a Sender ID instead of a numeric phone number. This makes it easy for recipients to tell that the message is authentic. Stick to the same Sender ID across all customer communication vectors. Don’t include special characters in it. Also, register it with the Mobile Ecosystem Forum (MEF).
  • Double-check your texts. Make sure that the mobile carrier doesn’t modify the sender information and content of your messages. Recipients must see your SMS precisely as you sent them.
  • Keep the number of message providers to a minimum. This reduces the chance of exploitation and makes your outreach campaigns easier to manage.

Follow me on LinkedInCheck out my website