Smishing Isn't As Funny As It Sounds
As serious as they are, cyberattacks aren’t always given the most serious-sounding names.
by Amy Rutt
As serious as they are, cyberattacks aren’t always given the most serious-sounding names. We are, of course, referring to “phishing”: the manipulation of the user, rather than of a computer system, to gain access to data. Phishing can come in many forms, with some—like phishing someone via SMS message—doubling down on the silliness of the name. Let’s examine this variety, and why “smishing” is not something to trifle with.
PHISHING + SMS = SMISHING
When a cybercriminal utilizes a phishing scam, they aren’t necessarily using any advanced technologies to crack your digital protections. Instead, they’re hacking the user, taking advantage of their target’s assumptions, bad habits, and unawareness to trick them into handing over information or the means to access it. One particularly famous example of a classic phishing scheme is the old “email from persecuted royalty” ruse, known as the Nigerian Prince scam.
HOW SMISHING WORKS
By sending a message that claims (and may even appear) to come from an authority figure or trusted contact, an attacker can bypass your security by convincing a user to undermine their protections.
Smishing is simply the application of these principles via a text message, rather than through the generally standard email.
Instead of an email or phone call, you could get a text message from a number that claims to be an institution that you do business with, be it a financial institution, a service provider, what have you. More recently, many smishing attacks claim to have come from authority figures trying to share information about the COVID-19 pandemic.
The message might share details that seem to confirm that the sender is who they say they are. This message would then closely resemble a phishing email, but since it isn’t the format that most people expect phishing to come in through, it could easily go unnoticed. Either way, like any phishing attack, the text would try to get you to react without much thought.
Chances are, there will be a link included with the message, prompting you to log in. The problem is the link will direct you to a fraudulent login page which will collect your actual credentials. Some will prompt you to download a document, which (surprise, surprise) is hiding some variety of malware in it.
So, simple as that, an attacker suddenly has access to one of your accounts, or potentially your device itself. Just take a moment and consider how much sensitive data you likely keep on your phone, data that could then be extracted by the hacker.
This, naturally, needs to be avoided.
To prevent this from impacting your business, you and your entire team need to be able to recognize a phishing attempt in any of its forms—even when it comes in via text message.
HOW TO SPOT A SMISHING MESSAGE
Fortunately, once you’re aware of the threat that smishing poses, spotting it is much easier. In fact, if you’re familiar with the basic principles involved in spotting a phishing attack, spotting smishing is very similar:
- If the sender isn’t familiar, don’t open the message and definitely don’t access any links. Just as is the case with a suspected phishing email, even opening a suspected smishing message is potentially risky. If you do happen to open it, don’t click through any links that will almost certainly be present.
- Don’t provide any sensitive information without confirming the legitimacy of the message through another means. Let’s say you get a text message from Facebook informing you of an issue with your account, with a link to log in and resolve it. Instead of clicking through the link, check your Facebook through the app or your Internet browser. If someone supposedly sends you a request for a password, call them back to confirm the request first.
- Block numbers you suspect of phishing. There’s a chance that your mobile device offers the capability to block texts, much like an email client can filter messages. Investigate your phone’s capabilities and apply any settings that may help.
As a final note, you need to make sure your entire organization is keeping security in mind as they go about their workday, and that they know how to identify and respond to any threats they may come across. Of course, applying certain protections across your entire network doesn’t hurt, either.
Ciracom is here to assist you and your team with any of your IT needs, from security to productivity to mobility. Learn more about our services by reaching out to us at (703) 621-3900, or by exploring our website!