NOT CONTENT to rely on email, cybercriminals are increasingly embedding phishing lures in text messages in a technique dubbed “smishing.” Smishing is particularly effective because people tend to click on text links frequently and impulsively, and unlike the misspellings and Nigerian princes that populate phishing emails, the brevity of texts mitigates those red flags.
Typically a smishing message conveys a sense of urgency, such as “Your account has been compromised,” or “Your password has changed,” explains Joseph Neumann, cyber executive adviser at Coalfire, a cybersecurity firm in Westminster, Colo. "The attacker attempts to get you to click on an embedded link to visit the site, and possibly download malicious content or enter credentials," he says.
Scammers may also effectively spoof messages from well-known companies and direct recipients to legitimate-looking sites, turning smishing into social engineering on steroids.
It’s on the rise too, according to Lawrence Cruciana, president of Corporate Information Technologies, a provider of cybersecurity services to SMBs in Charlotte, N.C. Anecdotally, Neumann agrees. "I currently receive two to three of these types of text a week, offering mortgage refinancing or account resets," he says.
Attackers don’t just target individual users. According to the 2021 State of the Phish report from security company Proofpoint, 81% of U.S. organizations faced smishing attacks last year. "More commonly, smishing is part of a blended attack that is actually targeted into smaller organizations because they are easier prey," Neumann says.
Lack of awareness is a top reason smishing is successful, Cruciana says. While many MSPs have done a good job with educating their clients about phishing, little attention has been paid to smishing. Thus, education will go a long way toward mitigating risks.
"Users should protect themselves by simply deleting and ignoring these messages," says Neumann. "Never click on a link provided!" Other best practices include logging out of websites, closing browsers when not in use, keeping operating systems updated, and upgrading phones to the latest version possible.
Cruciana also recommends that companies clearly outline the conditions under which employees can use mobile devices to access corporate data and deploy mobile endpoint management software. "As a practice, we deploy a unified endpoint management product for our clients," he says. "We require the use of encryption, strong pass phrases, and apps that are supported and updated."
While smishing may be a new twist on an old scam, defending against it requires the same general ingredients: a good portion of commonsense accompanied by a dose of security tools.