‘Smishing’ (SMS Phishing): A Rising Threat for Business Owners

According to Proofpoint, SMS-related scams rose by over 328% in 2020. The following year, reports of smishing scams increased by 700% within the first six months. And based on Proofpoint's 2022 State of the Phish report, 74% of businesses faced smishing attacks last year, up from 61% in 2020.?

What do these figures mean? Smishing is on a steady upward trajectory and gets more severe by the day. This article defines smishing, explains how it works and spreads, discusses types of smishing attacks, and highlights how to stay safe.

What's Smishing?

Smishing is SMS phishing. It's a variant of phishing where cyber actors send fraudulent texts to trick recipients into revealing their sensitive information or clicking malicious links. This type of social engineering often exploits human trust rather than technological faults. Like regular phishing actors, smishing artists always impersonate reputable individuals or companies, like your bank asking you for card details or your IT provider directing you to update passwords. As you key in this information or follow the instructions, the bad guys monitor your every move silently in the background.

The bad guys can use either of the following two methods or both:

1. Smishing through malware: Cyber actors can trick you into clicking malicious links or opening malware-infested attachments. When you click the links, malicious software automatically installs itself on your mobile phone, masquerades as a legitimate app, and tricks you into sharing personal information.
2. Smishing through malicious websites: It's similar to smishing through malware, only that the clicking of malicious attachments here redirects you to a fake website that mimics reputable ones. The site may automatically mine your data or ask you to type sensitive information as an attacker eavesdrops in the background.

How Does Smishing Work and Spread?

Smishing actors use deception and fraud by masquerading as trusted people. They can exploit either of the three driving factors:

• Trust: They use SMS texts purportedly from legitimate organizations to win the targets' trust. You're likely to lower your guard if you think the message is from a legitimate entity.
• Context: The bad guys often customize messages to situations relevant to the target. For instance, they can impersonate the Department of Health updating the public on COVID-19 containment guidelines. This approach builds an effective disguise.
• Emotion: Attackers can override your critical thinking by heightening emotions. A typical example is urgent warnings asking you to update your logins or risk losing your account at a specific time, spurring you into rapid action without considering the sender's legitimacy.

5 Common Types of Smishing Attacks

Cyber attackers have thousands of smishing tricks, but they all have one thing in common—impersonating trusted people or organizations to trick users into divulging sensitive information. We may not exhaust all of them because new tricks keep emerging each day. Here are five most common ones today:

1. COVID-19 smishing: Here, the bad guys customize their messages to copy legitimate COVID-19 aid programs by the government, health institutions, or financial organizations. They may ask you to complete a census, download a malicious public health safety update, accept a financial relief stimulus, or provide your social security number for contact tracing. They can then use this information to defraud you.
2. Customer support smishing: You may receive a text, supposedly from one of your vendors' HR departments, asking to help you solve an issue. For example, they may say an error in your account that needs immediate fixing or password resets.
3. Order confirmation or invoice smishing: You must have heard of how Barbara Corcoran almost lost $400,000 to scammers in 2020. According to CNBC, Barbara's assistant wired the money after sorting a fake invoice from cyber actors in China. Fortunately for her, she recovered the money before it reached the bad guys, but that's not always the case.
4. Gift smishing: Cyber attackers send texts offering free products or services from renowned retailers or companies. The offers often have limited time and come with links redirecting targets to malicious websites that can mine their credit card credentials.
5. Financial services smishing: The attackers may pose as your bank or financial service provider, asking you to verify unsuspicious account activity or unlock your account. They then ask for your logins or credentials and later use them to access your accounts.

Adopt Zero-Trust Approach To Manage Cyber Risk

As you must have noticed, smishing primarily relies on human error. As more people operate remotely and organizations increasingly adopt the cloud, the cybersecurity perimeter gradually shifts from the physical location of networks and devices to users, assets, and resources. That's why you should adopt a people-oriented zero-trust policy.

Zero trust involves not implicitly trusting any user or device due to ownership and physical or network location. Instead, it defines the exact prerequisites users must meet to access your networks. For instance, you can use MFA as an extra authentication layer for all your sensitive databases. That way, the bad guys cannot compromise your networks even if they steal a trusted user's login.

LeadingIT offers 24/7, all-inclusive, fast and friendly technology and cybersecurity support for nonprofits, manufacturers, schools, accounting firms, religious organizations, government, and law offices with 20-200 employees across the Chicagoland area.