Buzz. Buzz. Buzz.
You pull your phone from your pocket to see the little red notification of a text message. Urgent notification regarding the USPS delivery S46K5 from 5/21/21. Go to: msiv.info/sidgnks
While at first glance, it doesn’t appear to be anything more than a simple delivery message, clicking on the link can have significant negative repercussions on your personal and financial security.
This is a common SMishing message. SMishing is a more recent form of phishing schemes that we’ve all become too familiar with in our email inboxes.
Now, many of us will see this message and immediately know that it is a scam, but as phishing grows cyber criminals tactics become more sophisticated and harder to parse out.
The FBI’s Internet Crime Complaint Center found that phishing including, SMishing, vishing, and pharming was one of the leading cyber threats to the US in 2020.
But for me personally, I was getting more and more SMS phishing text messages. Now there are many explanations for this, maybe my number got leaked to a live list, or I unknowingly added my number to a form that sold my data. Either way, I wanted to know if this is an isolated incident for me or if others were having similar experiences.
To find out, I held an informal survey of my fellow IronNet employees, roughly 100 individuals. Predictably, over 50% of respondents saw an increase in SMishing attempts. However, interestingly, 25% of those surveyed have never experienced a SMishing message.
Most telling is that 1 in 4 respondents that shared SMishing attempts appeared to be targeted, meaning the text contained elements of personal information about the target.
Anatomy of targeted SMishing messages
Let’s break down the structure of a SMish. A typical SMish targets multiple people at once and includes a very simple url. Although basic, this SMish has several important distinctions that separate it from the email counterparts. For instance, it’s target size is small and only includes a link. But, because these are designed for touchscreens, the ‘danger zone’ is the entire message. One accidental touch at the wrong moment and you’ve triggered the action.
Yet, one of the biggest challenges scammers face is flying under the radar while still getting victims to interact with the message. Right now, although this is changing, we still tend to pay a great deal of attention to text messages we receive. We’re more vigilant and less likely to interact with fraudulent messages.
But, attackers are upping their game. Take a look at this example a colleague received. It is a bit more frightening. Eerily the Gmail address is strikingly similar to my name making it hard to believe this is coincidence. No, it was targeted.
Sinister evolution of phishing.
Why is SMishing becoming so popular for hackers to scam us? Let’s look at the evolution of phishing.
While the first phishing technique can be traced back to 1995, it didn’t become a true problem until around early 2000 when email became an ubiquitous and trusted form of communication.
By 2005 spam was overwhelming our inboxes and new security controls were introduced to reduce and eliminate spam. From this point on, email spear phishing grew as a common attack vector.
I believe that SMishing runs a parallel maturity path to email and has the potential to be the next primary compromise vector. To many of us, text messages are trustworthy and personal. Our phones are our connection to so much of our lives. And because of that, it’s much easier than we’d like to believe for criminals to take advantage of us.
While the gap between our users’ personal devices and our protected infrastructure feels wide, it is closing quickly and that is becoming a prime target for initial compromise.
Building protections: Defending against SMishing
Most of us would like to think that the safeguards we put in place for email phishing would protect us against SMishing. Yet, that’s not likely the case.
Remember 25% of IronNet employees have never even received a SMishing attempt. As attacks become more and more targeted, for those that have not encountered SMishing directly, it will become extremely difficult to parse out legitimate messages from attack attempts.
The solution doesn’t require your organization to make significant changes. Simply amp up your security training and incorporate SMishing lessons into the current protocol on Phishing.
Common best practices
- Do not reply to the text message or call the number
- Conduct a quick web search of the number and messge’s content
- If the message is spoofing a company; call the company directly
- Do not click on any links in the messages
- Utilize a VPN on mobile devices
From there continue to educate your staff and user base on how they can identify SMishing attempts, report attacks, and stay vigilant.
Let’s put a stop to SMishing before it becomes as prolific as it’s older phishing counterpart.