Smishing threats: How to protect your business from SMS phishing

Your phone buzzes. It’s a text message urging you to verify your company’s bank account immediately. You click the link and sign in. Within hours, funds have been siphoned out without your knowledge. This is an example of an SMS phishing, or smishing, attack.

Falling for a smishing message can have serious consequences. If attackers obtain a set of user credentials, they can potentially access your systems, and a single attack can compromise your entire network. The fallout can include:

• Data breaches that result in customer information falling into criminal hands.
• Financial losses from fraudulent transactions.
• Regulatory sanctions for lapses in security and failure to keep data safe.
• Reputational damage that tarnishes your brand and undermines the trust of customers and partners.

What is smishing?

Smishing is social engineering via text message. Like phishing emails, smishing messages are designed to deceive the recipients into divulging sensitive information or installing malware.

Whereas phishing emails target your inbox and vishing uses phone calls, smishing exploits the immediacy of SMS. Common smishing tactics include:

• Urgent alerts: Your account will be suspended in 10 minutes unless you sign in to verify it.
• Fake delivery notifications: Package delivery failed. Reschedule now.
• Prize scams: Congratulations! Claim your reward immediately.
• Technical support fraud: Your device is infected with malware. Click here to remove it.

Similar to phishing emails, smishing messages often impersonate trusted organizations. For example, familiar brands, service providers, or government agencies. Alternatively, they pretend to be someone the recipient knows personally, such as a friend, colleague, or family member.

Smishing red flags

Smishing messages often have the following characteristics:

• Urgency: A problem needs your immediate attention.
• Clear or implicit threat: If you don’t act quickly, there could be unpleasant consequences for you or someone you know.
• Sudden requests for sensitive information: You need to sign into your account using the link provided, or reply providing an authentication code sent to you in a separate message.
• Spelling mistakes, bad grammar, or sloppy writing: The message doesn’t read as though a professional marketing or communications team wrote it.

Why is smishing so effective?

Many people find text messages more personal and urgent than emails. As a result, they tend to read text messages promptly and act on them hastily.

At the same time, smishing messages may lack some of the red flags that make phishing emails identifiable. For example:

• Suspicious sender numbers are harder to recognize than strange email addresses.
• The absence of graphics means there are no tell-tale fuzzy logos or distorted branding.
• Small mobile screens make it harder to spot mistakes in spelling and grammar.
• Shortened URLs hide the destinations of links.

How to protect your organization from smishing attacks

To protect your organization:

• Provide regular security awareness training: Ensure everyone in your organization knows how to recognize suspicious messages and report them to your security team. Send simulated smishing messages to help people stay alert.
• Report smishing attempts: Encourage everyone to report suspected smishing messages to your InfoSec team and your mobile carrier. In many countries, you can report smishing messages by forwarding them to the number 7726, which spells SPAM on a keypad.
• Define your mobile security policy: Provide clear guidelines for handling business-related text messages.
• Always verify requests for money or sensitive information: Before replying, always use a second channel to make sure the request is genuine. Never rely on text messages alone.
• Implement technical safeguards: Deploy mobile device management solutions and keep all devices updated and patched.
• Use a cyber threat intelligence (CTI) and credential monitoring solution: CTI solutions such as Cybercheck continuously monitor for exposed credentials and personal data. Knowing your personal data is in criminal hands means you can take proactive steps to prevent an attack. For example, changing passwords, blocking cards, or locking down access. That means you can stop attacks before they happen.