SMS phishing: The lazy hacker’s weapon of choice

August 10, 20184 Minute Read

There’s no doubt about it—hackers think you’re lazy. Today’s cybercriminals are trending toward a little-known security threat that’s surprisingly low-tech: SMS phishing, or “smishing.” As the name suggests, hackers using this technique infiltrate devices via links contained in text messages to unsuspecting users.

Apparently for many, texts from unknown numbers fail to raise any red flags, even if those texts contain links. This isn’t exactly a new threat vector, either—as far back as 2006, McAfee advised cell phone users to be wary of “SMiShing attacks.” The main difference now is that smishing happens more often, with more people than ever falling for the bait. According to an analysis by global security company Kaspersky Lab, worldwide mobile ransomware increased by 250 percent in the first half of 2017 alone and roughly 28,000 people fell victim to text phishing in July 2017.

Measure the current state of SMS phishing

Some IT security pros are already tired of talking about phishing, but it’s a conversation that needs to continue, because people are still clicking on malicious links in texts and emails. In reality, it’s the hackers who are lazy—they want to find the quickest, easiest way to reap a profit. From the perspective of a scummy cybercriminal, why code your own malware when you can buy it for cheap on the dark web? And why would you bother to run a complex scam on a company when, with a little social engineering, you can easily steal user credentials or target a completely unsecured business printer? You can’t blame them, but you can try to stop them.

While most phishing schemes are still sent through email, there are new developments in the world of phishing to worry about. Whaling attempts, or highly targeted social engineering attacks directed at high-profile executives with big financial goals, are on the rise. Smishing is also spreading—and it may yet prove more effective for hackers than email phishing.

Realize that SMS phishing is scary

What’s so scary about text messages? More importantly, who actually clicks on a link in a text message from an unidentified number? The answers aren’t as simple as they appear. Here’s why smishing could be a bigger security issue than you think:

  • There’s no spam filter for text. Email spam filters are getting smarter, and these technologies can increasingly identify messages that are sent from a spoofed domain, have a high-risk sender score, or contain questionable content. In contrast, “there’s no foolproof way to block smishing messages entirely,” according to computer engineering professor Steve Wicker of Cornell University. There’s no technique for filtering out SMS phishing risks except for human behaviour, in all of its imperfect glory.
  • URL padding is easy with text messages. Hackers are, en masse, figuring out how to use a relatively simple technique to front load or mask links in text messages with top-level domains, like Reddit or Twitter. When a text message from Aunt Sue pops up with what appears to be an innocent link to a Facebook album of family vacation photos, clicks are bound to happen.
  • Mobile users are lazy, too. Security training has had some impact on people in terms of how they behave at work on computers. People tend to be careful on desktop but relax the moment they have a smartphone in their hands. Even relatively security-conscious mobile users are somehow conditioned to browse less carefully on mobile devices compared to desktop behaviours.

SMS phishing was on the rise last year—and your employees could prove vulnerable to it, thanks to a perfect technological storm of nonexistent filtering technology, URL masking, and the fact most people probably don’t think as hard about mobile security as computer security.

Dispel smishing worries in 3 easy steps

There’s ample reason to believe your company could be the target of a phishing attack through text next year, so be prepared. Here are three ways IT can be proactive about one of the lowest-tech threats in infosec today:

  • Stand up and say something: Everyone in your company needs to be aware that email isn’t the only vehicle for phishing and that risks are abounding. Simulation has led to better results than pure awareness training when it comes to impacting behaviour change related to phishing emails. In light of recent trends toward highly targeted social engineering attacks, your company’s leadership may need extra training.
  • Be aware of social engineering signs: Everyone with a mobile device should develop an attitude of caution around text messages. Texts from numbers with four digits (like 7000) are an obvious risk. Texts that demand immediate action, like “I need your help now” or “This is important,” can be signs of a socially savvy hacker. Anything with a link or request for sensitive data, even if it appears to be sent by a friend or relative, should be verified.
  • Get your IT security in order: Segregate your mobile devices using technical safeguards to prevent mass infection of your network. Don’t let people put their personal smartphones on your Wi-Fi, and containerize important mobile apps. In fact, you may even want to limit the type of personal apps users can download on their work smartphones, just to be safe.

Mobile security is never going to be simple, but hackers are lazy. SMS phishing may seem like a relatively simple security threat, but you can’t afford to underestimate it.

Gary Hilson October 31, 2018 4 Minute Read

5 ways to prepare for PIPEDA’s updates

PIPEDA's getting an update, and it looks a whole lot like GDPR. Here are five best practices that will help you stay compliant.

Stephanie Vozza October 29, 2018 4 Minute Read

Brush up on these 4 fundamentals for Cybersecurity Awareness Month

From employee training to shoring up endpoints and passwords, get primed for Cybersecurity Awareness Month with these four security and privacy tips.

Graham Templeton September 26, 2018 4 Minute Read

Prepare for PIPEDA with better device security and data privacy

Complying with PIPEDA's new privacy amendments requires diligence in everything from internal processes to device security.