Smishing

Last week, a Santander Bank customer in the U.K. received a text message saying her debit card had been compromised. To resolve the issue, the sender of the text requested she call a fraud prevention helpline and confirm her bank details and, once confirmed, she would receive a new card in a few days.

However, her account had in fact not been compromised – not yet. Though the number appeared to be from Santander Bank, the text message was actually sent from a hacker that used the information she unwittingly provided to swindle her out of £71,000. To make matters worse, because it was not an error on their part, the bank has refused to refund her the money.

This alarming incident is just the most recent example of a rising trend in the world of cybercrime called SMS phishing, or “smishing” for short. Similar to a phishing email, smishing is a targeted phishing attack that’s delivered via text message. Most often, the SMS message is crafted to be sent from a trusted source – a bank, an internet service provider, a friend, etc. While not necessarily a new scheme, smishing has recently been garnering significant popularity.

Because hackers have historically followed the money, it’s not surprising that they’ve set their sights on mobile, considering:

• There are more than 2 billion smartphone users worldwide
• An average of 20 billion text messages are being sent each day
• More than 90% of SMS text messages are opened within 3 seconds

The rapid open-rates of text messages puts the advantage in the hands of the attacker, whose M.O. is tricking the victim into quickly providing the sensitive information they desire. Because the phone number can be spoofed to appear coming from a trusted source, users are much more likely to click on the link or call the number. While users may be more vigilant with emails, people tend to let their guard down when it comes to text messages. Even a savvy user can fall victim, however, because there’s no mouse hover option to preview a link, there’s no subject line to consider, and, because it’s on a small screen, it’s very difficult to detect fake landing pages or decipher a legitimate message from a fraudulent one.

The aftermath of a smishing campaign is not only financial losses to the device’s owner, but could also result in damage to the owner’s place of employment. If an employee is tricked into downloading a virus onto their mobile phone, the attacker can take over the device and steal passwords, launch attacks, and inject malware in order to infect more devices and computers – even when they’re not connected to the corporate network.

While it’s too early to determine the effectiveness of updating BYOD policies to reflect smishing, organizations can incorporate smishing into their current phishing awareness and training programs by providing real-life examples and techniques to identify suspicious text messages and fake landing pages, such as typos, pixelated logos, urgency for personal details, and non-https links

As employees increasingly use their smartphones for work and day to day operations, smishing will continue to be a lucrative scheme that will only advance in frequency, aggressiveness and sophistication. To protect their financial and reputational integrity, organizations must stay up-to-date on the latest phishing schemes and ensure their employees are aware, educated and empowered to mitigate modern-day attacks.

Want to challenge your employees with a series of staged, real-world phishing attacks and evaluate their individual level of awareness toward smishing?

Start a free trial of IRONSCHOOL today.