SMS Phishing Attacks Are Growing at an Alarming Rate in 2022

Whenever cybersecurity professionals successfully raise awareness of some threat, cybercriminals always respond by quickly evolving their tactics.

Considering how much has been said and written about phishing, the social engineering attack involving fraudulent email messages, it probably won’t surprise you to learn that a new form of phishing already exists and is costing organizations a lot of money.

This new threat is called SMS phishing, or smishing for short, and there’s a good chance that your organization has already become its target because SMS phishing attacks are on the rise. So, what is smishing in cyber security?

What Is SMS Phishing (Smishing)?

Smishing in cyber security can be defined as a social engineering attack carried out over mobile text messaging. The term is also more loosely used to describe text-based social engineering attacks that are performed using instant messaging apps like WhatsApp, Viber, and Messenger.

All smishing attacks revolve around fraudulent messages that are crafted (sometimes more and sometimes less carefully) to trick their recipients into doing something that’s against their best interest. In general, cybercriminals want the victims of smishing to:

Smishing attacks are so effective that the FBI’s Internet Crime Complaint Center has recently issued a warning about them. According to American enterprise security company Proofpoint, smishing attacks increased 700 percent in the first six months of 2021, and the trend is expected to continue in 2022.

How Does SMS Phishing Work in Practice?

Smishing is one of those cyber threats whose effectiveness has a lot to do with their simplicity and the fact that they exploit the weakest link in any cybersecurity chain: people.

Let’s take a closer look at smishing attack examples to better explain why it’s so easy to fall for this type of scam:

1. A victim receives a text message from a number that seems to match the customer support numbers used by a delivery company like FedEx.
2. The text message is well-written, and it contains basic information about a package and a short link. The victim is encouraged to click the link to set their delivery preferences.
3. When the victim clicks the link, they’re taken to a real-looking FedEx login page and instructed to enter their login credentials or create a new account. The login page is, of course, fake, and the login credentials are sent directly to the attacker.

A smishing attack like this can be executed on a large scale to target hundreds and thousands of victims at the same time, and it exploits trust (seemingly legitimate phone number) and context (there’s a good chance that the victim is actually expecting a package).

Besides large-scale smishing attacks, cybercriminals also sometimes unleash targeted smishing attacks on high-profile victims, typically after weeks and even months of reconnaissance. Such attacks are often supported by voice phishing, or vishing, a scam in which attackers try to directly manipulate the victim by talking to them directly over the phone to increase the urgency of the attack.

What Can Be Done About SMS Phishing?

Unlike malware, smishing and all other social engineering attacks are effective only when their victims fail to identify them.

To counter these attacks, organizations should start by stepping up employee cybersecurity training. Employees should be taught to never take any text message that contains a link to a website or requests some kind of personal information at face value.

When in doubt, it’s always best to contact the organization from which the text message seems to come directly using the contact information provided on its official website.

Multi-factor authentication (MFA) can stop cybercriminals who manage to successfully obtain login information from an unsuspecting victim by requiring at least one additional verification factor to be presented.

Last but not least, organizations should require their employees to immediately report all smishing attempts to the IT department, which can then issue company-wide alerts and report the scam to the Federal Trade Commission (FTC).

Conclusion on SMS Phishing

SMS phishing, commonly referred to simply as smishing, is a relatively unknown social engineering threat that’s responsible for more and more cybersecurity incidents.

Instead of passively waiting for their first close encounter with it, organizations should start preparing right now by educating their employees and reviewing cybersecurity best practices, such as multi-factor authentication (MFA).

How can we help your business stay safe?