Text Phishing is on the Rise: How Can We Stop It?

Buzz. Buzz. Buzz.

You take your phone out of your pocket to see the little red text message notification. Urgent Notification regarding USPS S46K5 delivery of 05/21/21. Go to: msiv.info/sidgnks

Although at first glance it appears to be just a simple delivery message, clicking on the link may have significant negative implications for your personal and financial security.

This is a common SMishing message. SMishing is a newer form of phishing schemes that we’ve all become all too familiar with in our inboxes.

Now, many of us will see this message and immediately know it’s a scam, but as phishing grows, cybercriminals’ tactics become more sophisticated and harder to analyze.

FBI Internet Crime Complaint Center found that phishing, including SMishing, vishing, and pharming, was one of the top cyberthreats in the United States in 2020.

But for me personally, I was getting more and more phishing text messages. Now there are many explanations for this, maybe my number was leaked to a live list, or I unknowingly added my number to a form that sold my data. Anyway, I wanted to know if this was an isolated incident for me or if others had similar experiences.

To find out, I conducted an informal survey of my fellow IronNet employees, about 100 people. As expected, over 50% of respondents saw an increase in SMishing attempts. However, interestingly, 25% of respondents have never received an SMishing message.

Most telling is that 1 in 4 respondents who shared SMishing attempts appeared to be targeted, meaning the text contained elements of personal information about the target.

Anatomy of Targeted SMishing Messages

Let’s break down the structure of an SMish. A typical SMish targets multiple people at once and includes a very simple URL. Although basic, this SMish has several important distinctions that separate it from email counterparts. For example, its target size is small and only includes one link. But, because they’re designed for touchscreens, the “danger zone” is the full message. One accidental touch at the wrong time and you’ve triggered the action.

Yet one of the biggest challenges scammers face is flying under the radar while getting victims to interact with the message. Right now, although this is changing, we still tend to pay great attention to the text messages we receive. We are more vigilant and less likely to interact with fraudulent messages.

But forwards are upping their game. Take a look at this example a colleague received. It’s a little scarier. Strangely, the Gmail address is surprisingly similar to my name, which makes it hard to believe it’s a coincidence. No, it was targeted.

Sinister evolution of phishing.

Why is SMishing becoming so popular with hackers to scam us? Let’s look at the evolution of phishing.

Although the first phishing technique dates back to 1995, it only became a real problem around the early 2000s, when email became a ubiquitous and trusted form of communication.

By 2005 spam was overwhelming our inboxes and new security controls were introduced to reduce and eliminate spam. From then on, email spear phishing became a common attack vector.

I believe SMishing runs a parallel maturity path to email and has the potential to be the next primary vector of compromise. For many of us, texting is reliable and personal. Our phones are our connection to a large part of our lives. And because of that, it’s a lot easier than we’d like to believe for criminals to take advantage of us.

While the gap between our users’ personal devices and our protected infrastructure seems wide, it is rapidly closing and becoming a prime target for initial compromise.

Building protections: defending against SMishing

Most of us would like to think that the safeguards we have in place against email phishing would protect us against SMishing. However, this is probably not the case.

Remember that 25% of IronNet employees have never even received a SMishing attempt. As attacks become more and more targeted, for those who have not encountered SMishing directly, it will become extremely difficult to analyze legitimate messages from attempted attacks.

The solution does not require your organization to make significant changes. Simply enhance your security training and incorporate SMishing lessons into current phishing protocol.

Common Best Practices

  • Do not reply to the SMS and do not call the number
  • Perform a quick web search of the message number and content
  • If the message impersonates a business; call the company directly
  • Do not click on any links in messages
  • Use a VPN on Mobile Devices

From there, continue to educate your staff and user base on how they can identify SMishing attempts, report attacks, and stay vigilant.

Let’s stop SMishing before it becomes as prolific as its old phishing counterpart.

cool CTA

Comments are closed.