SMS phishing -- also known as smishing -- can have serious business consequences for both managed devices and BYOD scenarios.
Smishing is when a hacker attempts to trick a user into giving up information via a text message to a mobile device, and this trend appears to be gaining popularity. This attack vector is an offshoot of traditional email phishing and the incessant robocalls that are commonplace these days.
Why is smishing a serious threat?
One of the major reasons why smishing poses a serious threat is that mobile admins largely have no control over mobile users' SMS messaging. With smishing, the threat, vulnerability and risk are literally in the hands of end users, so everything from personally identifiable information to passwords to business intellectual property is at stake.
Smishing messages are often casual and generic, similar to traditional spam and phishing emails. They tend to use fake links to social media and other consumer-centric online experiences for bait, as shown in the following screenshots:
The most dangerous smishing attacks, however, target organization with messages that may look more legitimate to unsuspecting users. Targeted messages might take the following approaches:
- requests for password resets
- meeting requests
- multifactor authentication-related messages
- urgent requests from executives
What should IT do about smishing?
As part of its ongoing security vulnerability and penetration testing, IT should perform internal smishing in addition to internal email phishing. Many users are aware of traditional phishing approaches, but this relatively new attack vector may catch them off guard. The internal phishing provides better insight into whether an organization's end-user training efforts are working, while also revealing users who are especially vulnerable to such attacks.
The most efficient approach to perform large-scale smishing tests is to use one of the phishing training platforms provided by vendors such as Proofpoint and Lucy. These tools allow IT professionals to integrate smishing with existing email phishing efforts and take advantage of the platforms' user, template and reporting features on a large scale. For example, the following screenshot shows the SMS phishing options that Lucy offers:
When IT professionals design and carry out the internal smishing test, they must keep in mind that smishing is no different than other forms of social engineering. Criminal hackers want to prey on human gullibility and the desire for instant gratification. Smishing may be a relatively new attack vector, but IT can address users' vulnerability to this attack with the same methods it would for most other social engineering attacks.
IT should start with internal assessment of the vulnerabilities that exist within the organization. This should cover mobile user habits, common mobile apps that users work with and other organization-specific details. All of this information will help IT design the best possible phishing security strategy, including a user training program for all users, SMS filter tools and a strong mobile incident response plan.
Most organizations haven't mastered email phishing security yet, and the SMS vector is likely to prove even more difficult. However, IT can incorporate SMS messages into the fold and it will cost IT little to nothing over existing phishing efforts.