SMS phishing: The mobile security risk you need to know about
Social engineering schemes targeted at executives and business decision-makers are big business for cybercriminals. The FBI reports CEO email scams cost US businesses over $360 million in 2016. However, the latest mobile security risk could land in your text message folder, not your email inbox. SMS phishing, or “smishing,” is on the rise.
Though SMS phishing is nearly a decade old, the rate of attacks is growing quickly. According to Secure List, Kaspersky Lab data suggests smishing rates increased 300 percent between April and June 2017 alone. Like phishing, smishing scams generally encourage users to click on a link or respond directly with personal information. Cybercriminals design messages to snag personal information or infiltrate company networks.
Users are growing savvier about email-based phishing attempts, and so are the spam filters of major email providers. However, mobile operating systems don’t offer spam filters for texts. Associate professor Jason Hong of Carnegie Mellon told Fortune that cybercriminals are going after mobile devices because they’re easier targets.
Smishing isn’t a mobile security risk to ignore
Wandera research estimates 81 percent of mobile phishing attempts occur outside of email. Smishing attempts can vary widely in sophistication, ranging from highly sophisticated dupes of your banking interface to less-believable messages from beautiful singles in your area. Cybercriminals’ motives also vary. You might face a mobile mirror website designed to steal your banking credentials or a social engineering-based attack with a goal of collecting embarrassing information to blackmail you.
Unlike emails, SMS messages aren’t filtered by sender score or perceived spam risk. Even more concerning, it’s often impossible to verify the legitimacy of a URL with an SMS link because of URL padding. Ars Technica reports some security researchers believe even security-conscious mobile users are conditioned to browse and click links more casually on mobile than they do on desktops.
The following are five ways to manage your smishing risks:
1. Raise employee awareness
Though smishing has recently made headlines, it’s vital for C-level executives to make sure employees are up-to-speed on the very real risk of smishing attempts. Going beyond classroom training to offer simulation exercises is crucial to affecting user behavior and knowledge of information security threats. A survey by Wombat Security Technologies estimates 52 percent of US-based employees can’t even guess what ransomware is.
2. Know smishing signs
The skyrocketing rate of whaling — social engineering-driven phishing attempts targeting C-level executives — could point to a higher risk of smishing among decision-makers. Awareness of smishing warning signs should start at the top, with company-wide guidance to avoid engaging with suspicious texts. The following are some smishing signs and how to deal with them:
- Urgent messages asking for an immediate response or linking to an offer that must be redeemed immediately should be treated with suspicion.
- Texts from numbers that begin with “5000” are likely signs of a web-to-SMS service and should be approached with caution.
- Verify texts from friends or family that contain a link before clicking.
- Use a phone call to determine the legitimacy of text messages that ask for money, sensitive information or a link to enter login credentials.
3. Ensure technical safeguards are in place
The right mobile security tools can mitigate the risk of data loss from smishing. Though user awareness is key, limiting access to email, network data and mobile applications through containerization and file-level encryption can protect your network.
4. Avoid app downloads
Users should be educated to avoid downloading apps from SMS links. Your written security policy should address the risks associated with downloading app content from anywhere other than official app stores or your organization’s app store.
5. Report smishing
Reporting smishing attempts to the Federal Trade Commission could protect others and lend important transparency to this growing cybercrime method.
Don’t fall into the mobile trust trap
Smishing is a very real mobile security risk. It’s increasingly popular among cybercriminals because of users’ laid-back approaches to texting and general lack of awareness. It’s important to exercise the same caution on your phone as your PC. Awareness initiatives and mobile security measures are key to protecting your enterprise from smishing.