SMiShing attacks continue to soar as more companies transition to a remote/hybrid workforce. According to a Pew Research Center survey, 59% of U.S. employees work from home all or most of the time. This transition means that employees are now more likely to use mobile devices such as a phone or tablet to access corporate information and accounts. Bad actors are taking notice and exploiting this reliance on mobile devices. They are using popular mobile messaging apps and digital channels that aid the productivity of remote workers such as Facebook Messenger, WhatsApp, LinkedIn, Zoom, Microsoft Teams, Google Meet, and Slack to facilitate attacks. As a result, SMiShing is a threat that companies can no longer ignore.
What is SMiShing?
The word SMiShing comes from combining SMS (Short Message Service), the original technology which started mobile texting, with phishing. In either instance the goal of the bad actor is to steal personal or financial information.
The following social engineering news story shows how bad actors exploit messaging apps and digital channels
A sophisticated Teams attack. As reported on by VentureBeat, a bad actor posing as a CEO (Chief Executive Officer) known to be on a business trip to China, sent a WhatsApp message to several of the company’s employees asking them to join a Teams meeting. When the employees joined the Teams meeting, they thought they were seeing the CEO live on video. However, it was really a scraped video feed of the CEO from a past TV interview. To make the fraud more convincing, the bad actor added a fake background to make it appear that the CEO was really in China. Now for the twist, there was no audio feed for the Teams meeting. The “CEO” chatted that he was experiencing issues with the audio feed and told the employees, that “since I can’t make this work, send me the information on this SharePoint link.‘”
Image: VentureBeat
Test, Educate and Protect with our Managed SMiShing Service
How can you protect your company from SMiShing attacks such as mentioned above? It’s important that your employees can identify an attack. At Social-Engineer, LLC our fully managed, enterprise scalable program measures and tracks how your employees respond to text-based phishing attacks with data driven targeting and training. Our fully managed SMiShing service features custom templates, tailored training based on failure, and comprehensive reporting. To schedule a consultation, please contact us today.