Hackers think you’re lazy, without a doubt. Why? Cybercriminals are trending toward a little-known security threat that’s surprisingly low-tech: SMS phishing, or smishing—that’s phishing attacks delivered through text messages.
You’d think texts from unknown numbers that contain links would immediately raise a red flag, but it’s anything but a new threat vector. Cybermiscreants have been trying to trick people through text for at least a decade. But now, hackers are smishing more than ever, and people are falling for it.
Mobile ransomware attacks sent through text messages are, according to Kaspersky Lab, up some 250 percent since January 2017. Other data indicates that the prevalence of Trojans rose and fell throughout the year, but one popular SMS mobile banking credential theft scheme led to a spike in smishing reports. In the most active month for text phishes, 28,000 people were impacted in July 2017 alone.
What is the state of SMS phishing?
Some IT security pros are tired of talking about phishing, but this conversation needs to continue because people are still clicking on malicious links in texts and emails. Hackers are lazy—they want to find the quickest, easiest way to reap profit. From the perspective of a scummy cybercriminal, why code your own malware when you can buy it cheap on the dark web? And why would you bother to run a complex scam on a company when you can use a little social engineering to steal credentials or target a completely unsecured business printer? You can’t blame them, but you can try to stop them.
While most phishing schemes are still sent through email, there are developments in the world of phishing to worry about. Whaling attempts, or highly targeted social engineering attacks directed at high-profile executives with big financial goals, are on the rise. Smishing is also spreading—and it may prove more effective for hackers than email phishing.
Understand why SMS phishing is scarier than you think
What’s so scary about text messages? More importantly, who actually clicks on a link in a text message from an unidentified number? The reality isn’t that simple. Here’s why smishing could be a bigger security trend in 2018 than you think:
- There’s no spam filter for text. Email spam filters are getting smarter, and these technologies can increasingly identify messages sent from a spoofed domain, have a high-risk sender score, or contain questionable contents. In contrast, “there’s no foolproof way to block smishing messages entirely,” according to computer engineering professor Steve Wicker of Cornell University. There’s no dominant mode of filtering out SMS phishing risks except for human behavior, in all of its imperfect glory.
- URL padding is easy with text messages. Hackers are, en masse, figuring out how to use a relatively simple technique to front load or mask links in text messages with top-level domains, like Reddit or Twitter. If a text message explains that it’s from your Aunt Sue and appears to contain a link to a Facebook photo album of family vacation photos, clicks are bound to happen.
- Mobile users are lazy, too. Security training has had some impact on people in terms of how they behave at work on computers. People tend to be careful on desktop and relax the moment they have a smartphone in their hands. Per Ars Technica, even relatively security-conscious mobile users are somehow conditioned to browse the web and think less carefully before they click on a link, compared to desktop behaviors.
SMS phishing was on the rise last year—and your employees could prove vulnerable to it, thanks to a perfect technological storm of nonexistent filtering technology, URL masking, and the fact most people probably don’t think as hard about mobile security as computer security.
Smash smishing fears in 3 steps
There’s reason to believe your company could face a phishing attack through text next year, so it’s wise to get prepared. Here are three ways IT can be proactive about one of the lowest-tech threats in infosec today:
- Stand up and say something: Everyone in your company needs to know that email isn’t the only vehicle for phishing, and that risks are abounding. Simulation has led to better results than pure awareness training when it comes to impacting behavior change related to phishing emails. Your company’s leadership may need extra training, considering trends toward highly targeted social engineering attacks on execs.
- Be aware of social engineering signs: Everyone with a mobile device should develop caution around text messages. Texts from numbers with four digits (like 7000) are an obvious risk. Texts that demand immediate action, like “I need your help now” or “this is important” can be signs of a socially savvy hacker. Anything with a link or request for sensitive data, even if it appears to be sent by a friend or relative, should be verified.
- Get your IT security in order: Segregate your mobile devices using technical safeguards to prevent mass infection of your network. Don’t let people put their personal smartphones on your Wi-Fi, and containerize important mobile apps. In fact, you may want to limit the type of personal apps users can download on their work smartphones just to be safe.
Mobile security isn’t simple, but hackers are lazy. SMS phishing may seem like a relatively simple security threat—but don’t underestimate it in the year ahead.