Site Menu

Smishing Isn't As Funny As It Sounds

As serious as they are, cyberattacks aren’t always given the most serious-sounding names.

by Amy Rutt

As serious as they are, cyberattacks aren’t always given the most serious-sounding names. We are, of course, referring to “phishing”: the manipulation of the user, rather than of a computer system, to gain access to data. Phishing can come in many forms, with some—like phishing someone via SMS message—doubling down on the silliness of the name. Let’s examine this variety, and why “smishing” is not something to trifle with.

PHISHING + SMS = SMISHING

When a cybercriminal utilizes a phishing scam, they aren’t necessarily using any advanced technologies to crack your digital protections. Instead, they’re hacking the user, taking advantage of their target’s assumptions, bad habits, and unawareness to trick them into handing over information or the means to access it. One particularly famous example of a classic phishing scheme is the old “email from persecuted royalty” ruse, known as the Nigerian Prince scam.

HOW SMISHING WORKS

By sending a message that claims (and may even appear) to come from an authority figure or trusted contact, an attacker can bypass your security by convincing a user to undermine their protections.

Smishing is simply the application of these principles via a text message, rather than through the generally standard email.

Instead of an email or phone call, you could get a text message from a number that claims to be an institution that you do business with, be it a financial institution, a service provider, what have you. More recently, many smishing attacks claim to have come from authority figures trying to share information about the COVID-19 pandemic.

The message might share details that seem to confirm that the sender is who they say they are. This message would then closely resemble a phishing email, but since it isn’t the format that most people expect phishing to come in through, it could easily go unnoticed. Either way, like any phishing attack, the text would try to get you to react without much thought.

Chances are, there will be a link included with the message, prompting you to log in. The problem is the link will direct you to a fraudulent login page which will collect your actual credentials. Some will prompt you to download a document, which (surprise, surprise) is hiding some variety of malware in it.

So, simple as that, an attacker suddenly has access to one of your accounts, or potentially your device itself. Just take a moment and consider how much sensitive data you likely keep on your phone, data that could then be extracted by the hacker.

This, naturally, needs to be avoided.

To prevent this from impacting your business, you and your entire team need to be able to recognize a phishing attempt in any of its forms—even when it comes in via text message.

HOW TO SPOT A SMISHING MESSAGE

Fortunately, once you’re aware of the threat that smishing poses, spotting it is much easier. In fact, if you’re familiar with the basic principles involved in spotting a phishing attack, spotting smishing is very similar:

As a final note, you need to make sure your entire organization is keeping security in mind as they go about their workday, and that they know how to identify and respond to any threats they may come across. Of course, applying certain protections across your entire network doesn’t hurt, either.

Ciracom is here to assist you and your team with any of your IT needs, from security to productivity to mobility. Learn more about our services by reaching out to us at (703) 621-3900, or by exploring our website!

This page might use cookies if your analytics vendor requires them.