Smishing, The New Phishing

22nd September 2020 | Blog

Many people know about Phishing, a form of social engineering to deceive individuals into doing a hacker’s bidding. Hackers convince users to click on malicious links in an email resulting in malicious file downloads or redirection to credential-stealing websites. Smishing is a lesser-known form of phishing that targets smartphone users via text or SMS messages. When it’s successful, smishing tricks the recipient into taking some action. Like a phishing attack, it could be visiting a fraudulent site and giving up your credentials or downloading a rogue application that can compromise your phone or steal personal information. Simply put, smishing is phishing through text messages.

Why Smishing, Not Phishing?

Hackers are continually finding new ways to attain user’s data. Hackers are using smishing because people tend to be more inclined to trust a text message than an email. Most people are aware of the security risks involved with clicking on links in emails, this is less true when it comes to text messages. A study presented by TechTalk showed that 98% of common text messages are read and 20% are responded to, where 45% of common emails are read and only 6% are responded to. It should come as no surprise that hackers are turning to smishing attacks with increasing frequency.

Smishing Recommendations

In general, you don’t want to reply to text messages from people you don’t know. That’s the best way to remain safe. This is especially true when the text comes from a phone number that doesn’t look like a phone number, such as “5000”, or “452-981” number. This is a sign that the text message is actually just an email sent to a phone. You should exercise basic precautions when using your phone such as:

Don’t click on links you get on your phone unless you know the person they’re coming from. Even if you get a text message with a link from a friend, consider verifying they meant to send the link before clicking on it.
A full-service Internet security suite isn’t just for laptops and desktops. It also makes sense for your mobile phone. A VPN such as ‘Norton Secure VPN’ is also an advisable option for your mobile devices. This will secure and encrypt any communication taking place between your mobile and the Internet on the other end.
Never install apps from text messages. Any apps you install on your device should come straight from the official app store. These programs have vigorous testing procedures to go through before they’re allowed in the marketplace. If you have any doubts about the safety of a text message, don’t even open it.
If you receive a text message mentioning you should update settings or unsubscribe to a service that you haven’t signed up for, ignore the message. If you see any unauthorized charges on your credit card or debit card statement, take it up with your bank or credit card. They’ll be on your side.

Almost all of the text messages you get are going to be totally fine. But it only takes one bad one to compromise your data and security. With just a little bit of common sense and caution, you can make sure that you don’t become a victim of smishing.

Further Cybersecurity Recommendations

Not only should you follow the previous Smishing security recommendations, but there are other ways CyberHoot recommends to help stay secure in your day to day lives online:

Train employees on cybersecurity basics, helping them become more aware of the threats they face when interacting online. (Phishing, Smishing, Social Engineering)
Periodically Phish Test Employees (at least annually, but preferably quarterly or monthly)
Be wary of public, unsecured WiFi (use a VPN if dealing with sensitive information)
Guide employees with cybersecurity policies, following NIST Guidelines (WISP, Acceptable Use, Password Policy, etc.)
Employ a Password Manager, require it in your Password Policy, demand strong password hygiene in your employees and business
Enable Two-Factor Authentication wherever possible and especially on all Internet-facing services you use (O365, Salesforce, Finance apps. etc.)
Work with your IT staff or third-party vendors to ensure your critical data is being encrypted at rest and in transit (ensure keys are strong and passwords long)
Regularly back up critical data following the 3-2-1 methodology
Use the principle of least privilege
Patch your systems regularly and triage critical vulnerabilities using a repeatable process with established timelines based upon threat levels
Stay current with the always-changing cyber threats
Consider hiring a virtual Chief Information Security Officer (vCISO)

By implementing these measures at your business you’ll become more aware and more secure. You can take comfort knowing your company is prepared for these attacks.