There are many different types of social engineering attacks. From phishing to spear-phishing, and vishing, the list keeps growing. One common type of social engineering is smishing. Smishing is a technique in which hackers use a compelling text message to trick their victims into taking an unwanted action. Most likely, you’ve received a smishing attack on your personal mobile device. But did you know these attacks target businesses too? In this blog post, we will outline how it works and how to best prevent it from impacting your business.
How It Works
The word smishing is a combination of Short Message Service (SMS) + phishing. Both techniques are designed to send convincing messages that entice users to take an unwanted action: smishing via text message and phishing via email. Smishing can be sent to anyone with a valid phone number.
Hackers know that people are more inclined to quickly view and answer text messages compared to their emails. With their guard let down, hackers can convince someone to act quickly without thinking. These messages are always going to look and feel urgent. Hackers want you to act before you think, which is why many smishing attacks are successful.
Smishing is an increasingly popular form of cybercrime. According to Proofpoint’s 2023 State of the Phish report, 76 percent of organizations experienced smishing attacks in 2022.
Smishing has several goals hackers look to achieve. The most common are:
Not all smishing is delivered via a text message. With the variety of messaging apps on your phone, hackers have a ton of choices on the channel they use to deliver their compelling trick.
It’s easy for a hacker to look like someone else in a smishing attack. That’s because most SMS messages are not authenticated and can be sent by anyone without validation of the sender. Here’s a few of the techniques hackers use to deliver the attack:
Message spoofing: A hacker uses special tools or services to spoof or mimic the number of a trustworthy person or service.
Automated Vishing: A smishing attack might ask you to call back a phone number or provide a pin or password to “confirm” your information.
Two Factor Tricksters: Certain smishing attacks focused on tricking you into giving up your multi-factor code.
How to Protect Your Business?
Opt out of opting out! The best action is no action. Don’t reply to an unsolicited message since that will confirm your real number, leaving you as a target for additional attacks. If you get an unsolicited message, your first reaction should always be to stop and think if it’s legit. Never give away sensitive information via a text or messaging app. Always be vigilant, if there’s a link in the message, don’t click it. If you're concerned about the authenticity of a message, directly contact the service or person trying to interact with you.
If you aren't sure of a smishing attack don’t hesitate to ask for help. You might not be the only one being targeted and can help prevent your colleagues from becoming a victim. As a Managed Services Provider we offer Security Awareness Training so that professionals can stay up-to-date on the latest threats. Learn more about our training or contact us for more information.