Getty Images

Tip

How text message phishing can affect the enterprise

Text phishing, or smishing, is an increasing occurrence across enterprises. However, IT can neutralize this threat with the right policies and practices.

Phishing is a digital threat that has grown since the birth of the internet, and it has evolved to encompass a broader range of endpoints and vectors.

An organization's security strategy needs to encompass the potential for phishing attacks from all sorts of methods, including texts and phone calls on mobile devices.

Phishing targets victims via email, texting and other forms of messaging to pose as a legitimate organization to get a victim to reveal credit card details, passwords or additional sensitive information.

As a method of cyber attack, phishing began with the birth of email and the commercial internet in the mid-1990s. This type of hacking continues to grow into the 2020s, with social media, voice and phishing text messages becoming the most popular attack mechanisms.

Why is text phishing rising in popularity?

Phishing text messages are a logical evolution of the spoofing phenomenon. SMS or text phishing, often called smishing, targets victims via text messaging rather than the traditional email approach.

The COVID-19 pandemic has led to many employees working from home, further separating them from an IT department, the corporate network and organizational security protocols. This opens up a new level of threat for mobile phishing scams. 

Smishing attacks are soaring, with criminals impersonating everything from banks to governments. The goals of these attacks range from accessing people's bank information to downloading malware onto users' cellphones. However, from an organization's perspective, the biggest risk is hackers infecting the corporate network.

Smishing attacks have increased nearly 700% in the first six months of 2021, according to software company Proofpoint. In addition, 45% of people reply to texts, whereas just 6% respond to email messages, according to Gartner. This makes smishing a prime attack vector for hackers. 

A phishing text message can resemble an innocent notification that someone might receive from a package delivery company, a bank or a local government agency. The aim is to get you to click on a malware link embedded in the text or reply with bank details, a social security number or other private information.

A diagram displaying the prevalence and success of phishing attacks.

Although IT can block most mobile-focused malware with commonplace Android and iOS security features, no security can defend against a user who is happy to send their information to an undisclosed number.

What should a user do when they receive a phishing text?

While smishing is a social engineering attack vector and IT can't easily prevent it with a security program, the responsibility often falls on IT administrators to ensure that users know how to recognize phishing attempts and what to do when they get them.

Many workers don't understand the nature of phishing. In a 2020 survey from Proofpoint, only 52% of U.S employees could accurately describe phishing. Just recently, dozens of American universities received emails purportedly about the omicron variant of COVID-19 that turned out to be malicious phishing attempts to gain access to login credentials. These attacks preyed on user uncertainty, but a well-trained user could recognize these attempts for what they were. 

If a user receives a phishing text while working, the first and most important step is to not respond to the contents or prompts. Do not click on any links contained in the message. These could contain malware or take the user to a site that will ask for more private details. Do not respond to the sender in any way.

If a user receives a phishing text while working, the first and most important step is to not respond to the contents or prompts.

Then, the user should immediately report a smishing attack to the IT department at their organization. This is especially important if the device they're using is a corporate cellphone. Any organization's BYOD policy should include specific guidelines about cyberthreats and smishing.

Cybersecurity training should be compulsory for all workers in an organization. An organization can run anything from surveys to in-person training sessions to ensure that employees are up to date on phishing, smishing and other security threats.

IT departments can even run an internal phishing campaign, an in-house social engineering attack that serves to see who would fall for a phishing attack. This gives IT a sense of how many users would expose themselves to a phishing attempt from an outside source. Then, IT can have any employees who fail go through additional training to emphasize the importance of phishing security.

IT should train employees on how to use company-approved file hosting services, such as Dropbox or Google Drive, rather than emailing large files to other team members. This will create fewer opportunities for outside actors to access these important internal files. 

Organizations should also make corporate databases and networks accessible to as few individuals as possible within the organization. This will help limit or eliminate the number of ransomware attacks caused by smishing or other means.

Next Steps

AT&T data breach: What's next for impacted customers?

Dig Deeper on Mobile security