Most of us have received a bogus text message that mentioned some sort of problem with a recent delivery or an issue with a PayPal or Amazon account. The instructions were to click on a link to resolve the issue. Sometimes these text messages are very vague, and it may be easy to determine that it’s a scam. However, other times it may not be so easy to distinguish a fake message from a legitimate one. According to Techjury.net, more than 3.5 billion mobile phone users receive SMiShing messages daily, but only about 22% of people aged 18–22 know about it and its consequences. According to Earthweb.com only about 36 percent of people in the US know what a SMiShing attack is. Let’s take a closer look at what SMiShing is. This will help you determine if you’re at risk and how to handle any potential attacks.
What is SMiShing?
The term “SMiShing” is a combination of “SMS”—or “short message service” (which is the technology behind text messages)—and “phishing.” SMiShing is a type of cyber-attack that employs social engineering techniques to trick people into navigating to a bogus website where they’re asked to download malware onto their devices, divulge personal information, or give a one-time password (OTP) that will allow the scammer to bypass MFA (multi-factor authentication). SMiShing attacks are similar to phishing attacks, the main difference is the medium. In both cases scammers use a convincing pretext or phony message that will appeal to someone’s curiosity, greed, or fear. By triggering one of these emotions, they can get people to take action without thinking; such as clicking on a malicious link or giving out sensitive information.
Are You at Risk?
According to Statista, 76% of organizations experienced SMiShing attacks in 2022. The criminals perpetrating these attacks know that victims are more apt to click links in text messages than in emails. According to marketing site Selzy.com, SMS messages take a limited amount of time to read, and the click-through rate is an impressive 30%. In contrast, emails are often too time consuming for most people and only 1.7% actually click on the links. Advances in filtering technology have made it harder for some forms of phishing, like emails and phone calls, to reach their targets. As cybercrime continues to grow, scammers expand their vectors to maximize the results for their attacks.
It’s fair to say that just about anyone that has a cell phone is at risk of a SMiShing attack. However, statistics show that 74% of its victims are companies. According to Proofpoint’s 2023 State of the Phish report, 76 percent of organizations experienced SMiShing attacks in 2022. The increase of bring-your-own-device (BYOD) and remote work arrangements have also led to more people using their mobile devices for work, making it easier for cybercriminals to access company networks through employees’ cell phones.
Protect Yourself
Awareness is the first step to protecting ourselves. Because social engineering principles are used in SMiShing attacks, attackers can manipulate a person’s decision-making if they are not aware of the following techniques:
Impersonation:
By posing as legitimate individuals and organizations, cybercriminals lower their target’s skepticism.
Realistic Pretexts:
By using a situation that could be relevant to a target, it makes the message feel personalized which helps to override any suspicion that it might be spam.
Amygdala Hijacking:
By heightening a target’s emotions, attackers can override their target’s critical thinking and get them to act quickly.
Being aware of these tactics will help you identify if you’re the target of a SMiShing attack. If that’s the case, here are a few things to keep in mind:
-
- Do not respond. Even if the message prompts to reply texting “STOP” to unsubscribe can be a trick to identify active phone numbers.
- Slow down. If you received a text message that evokes urgency, do not click on any links or reply. Instead, visit the official website the text claims to be from and log into your account. Any urgent notices can be verified directly from your online accounts.
- Never provide a password or account recovery code via text. Both passwords and text message two-factor authentication (2FA) recovery codes can compromise your accounts.
- Report all SMS phishing. You may do this by copying the message and forwarding it to 7726 (SPAM). This helps your wireless provider spot and block similar messages in the future. You may also report it on the messaging app you use by selecting “report spam” or “junk”. Ultimately, you may report it to the FTC at ReportFraud.ftc.gov.
Remember that attackers are attempting to elicit a response based on emotions such as fear, greed, and curiosity. By not responding or taking an action right away, you give yourself time to engage your critical thinking and not fall victim to a SMiShing attack.
Protect Your Company
SMiShing doesn’t just affect individuals, it has become a growing threat for businesses of all sizes. One way to prevent a SMiShing attack is by implementing strong identity verification and authentication processes such as two-factor authentication (2FA). This can help by ensuring that only legitimate users are able to access data and systems. However, this is just one step that should be implanted in a multi-layer security protocol. Out of which, the most important thing to do is detecting and remediating human vulnerability by means of education, training, and testing.
Do your employees know how to detect a SMiShing attack and how to report it? Let us help you establish a reporting process for smishing attacks. Our fully-managed SMiShing service measures and tracks how your employees respond to text-based phishing attacks. Find out more about our managed services at Social-Engineer.com.
Written by: Rosa Rowles
