Smishing is phishing via Short Message Service (SMS) on a device, typically a cell phone.
Since SMS in its current format is not authenticated beyond the sending telephone number, anyone receiving an SMS can only hope that the message was indeed sent from said number. With a growing number of applications allowing SMS messages to be sent using spoofed numbers, it's becoming more difficult to know if a sender is who they claim to be.
Recently, we have seen a major uptick in SMS phishing attacks including messages posing as the IRS, various Accounts Payable and Accounts Receivable departments, and even an organization's internal team members. These attacks are designed to pique your curiosity and appeal to your emotions with the hope of getting you to respond.
Take the example below recently received by one of our customers.
Hi Patrick, this is Brian (CEO) - I'm on a conference call right now, but please let me know if you received my text. I have an urgent matter I need assistance with. Thanks!
Notice the keywords appealing to emotion - it's the CEO texting directly for help on an urgent matter! Once Patrick responds, whoever is on the other side will know the bait has been taken and they can now continue with the attack. This can be as simple as delivering spam or malicious links to more serious requests for sensitive information, or even financial transfers like wires/ACH, gift cards, or P2P payments such as CashApp, Venmo, or PayPal.
Below is a list of measures to help defend yourself against SMS phishing attacks:
Do not respond to texts from unknown numbers or any others that appear suspicious.
Never share sensitive personal or financial information by text.
Be on the lookout for misspellings or texts that originate with an email address.
Think twice before clicking any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren't hacked.
If a business sends you a text you weren't expecting, look up their number online and call them back.
Remember that government agencies almost never initiate contact by phone or text.
A robust, ongoing security awareness training program is the best defense against SMS-based phishing, as well as other forms of attack.
Contact Blue Viper
Contact Blue Viper for help in crafting your security awareness training program and strengthening your organization's cybersecurity posture.
As always, stay vigilant.
Comments