Tips to squash smishing (SMS phishing)
The emerging threat of smishing and how to tackle it
No matter how robust the network security infrastructure is, an error in judgment can open the floodgates for cyberattacks. Deceiving a user into revealing sensitive information, primarily over email, is called phishing. When phishing is done using SMS, it is called smishing. There has been an uptick in smishing ever since the pandemic, with reports estimating a 328% spike.
What is Phishing?
Phishing is an attempt by fraudulent actors to pass off as a legitimate business or entity to extract personal information or install malware in the victim’s system. Usually, email or phone calls are used to induce victims into revealing their credit card details, banking credentials, or social media account details.
Phishing messages are drafted to induce urgency or panic in the target’s mind. For instance, you get an email from a reputable shipping company claiming your courier was not delivered because of an incorrect address or you are asked to pay a fee to customs or a courier to complete delivery; you are directed to click on a link to correct it. The link takes you to a malicious site, where the hacker uses the data you input to launch attacks such as APTs and ransomware. According to Verison’s study, the predominant hacking action was using stolen credentials to compromise web applications. The report claimed that in the APAC region alone, 99% of attacks consisted almost exclusively of phishing.
There are several kinds of phishing
Email phishing comprises links to malicious sites or infected attachments in HTML or DOCX format and contains executable codes.
Spear phishing is much like phishing, but it targets specific individuals or organizations instead of random victims. Often, an attacker assumes the identity of a senior-level executive and targets lower-level employees.
Whaling: this form of attack targets specific high-profile individuals at a company. Whaling is highly lucrative as senior executives generally have high-level access to data.
HTTPS phishing: attackers create fake websites and SSL certificates to fraudulently prefix HTTPS on the URL to lure unsuspecting users into harvesting data.
Vishing: it is phishing via phone call. It’s a social engineering trick to force customers into parting with sensitive data, often posing as a customer service executive.
Angler phishing: it targets social media users using direct messages (DMs). Usually, attackers pose as customer service agents, reaching out to resolve issues.
What is Smishing (SMS phishing)?
Smishing is a form of phishing wherein a malicious SMS is sent to the victim’s phone instead of email to induce a sense of urgency or panic. Like phishing, smishing attackers send a text message to smartphone users, directing them to click on a link or respond to the message in a particular manner. Sometimes, these attackers use the receiver’s name and location (readily available on social media) to give them the impression of being a trusted source. Once the receiver clicks on the link and enters their credentials or reveals their credit card data on the site that they believed to be legitimate, they end up in a server controlled by the attacker, who then gains access to the person’s sensitive data, such as their user credentials, credit card or banking details.
A smishing message will try to induce panic. For example:
“Warning:(Criminal Investigation Department) IRS wants to file a lawsuit against you; click on ********* to know more. In case of failure to do so, your arrest warrant may be forwarded to your local police department, allowing the government to freeze your SSN and bank accounts.”
Smishing vs. Phishing
The only difference between phishing and smishing is that phishing is conducted over emails, while smishing attacks are perpetrated using SMS.
Why do telcos need to tackle smishing?
According to a study, the telecommunications industry lost around $40 billion because of fraud, including smishing. Besides the monetary loss, the scam can cause irreparable damage on two fronts:
- Damage to the brand reputation
A smishing attacker usually uses a reputable brand’s name to establish trust between themselves and the victim. Such negative publicity can create a wrong impression about your brand name among existing and prospective customers. The trust deficit can drive customers to your competitors. Any breach resulting in sensitive data landing in the public domain can have legal consequences, further damaging a brand’s reputation.
- Upset customers
Damage to reputation is directly proportional to customers lost, i.e., the higher the impact of a smishing incident, the higher the number of customers lost. As mentioned earlier, smishing is a way to access sensitive data for hackers. Cybercriminals use the data to launch advanced attacks like APTs and ransomware. No customer can repose trust in a brand that cannot protect its customer data.
How can telecom providers defend themselves against smishing?
Telcos must invest in scalable security solutions to tackle the barrage of smishing attempts. Telcos can leverage the following best scalable practices to ensure the security of their network:
- Continuous testing
Organize periodic tests on your network and check for any misalignments. Refine and improve your security network, ensure blocking mechanisms are in place, and continually update your security posture, keeping the test results in mind.
- Threat interception
Instead of reacting after a smishing incident, ensure that you’re proactively protecting your network. Use solutions that block smishing attempts just as they attempt to enter your network. A few proactive options are:
- Penetration Testing
- Network Security Monitoring tools
- Web Vulnerability Scanning tools
- Attack Surface Management tools
- Antivirus
- Firewall
- Resource utilization and optimization
Sourcing the correct tools must combine with training the personnel to use them. A well-trained unit equipped with the perfect blend of network security solutions can respond to emerging situations quickly. Besides, keeping a rational chain of command will allow for quick remediation. As smishing scams comprise social engineering tricks to dupe unsuspecting employees, a well-trained team will be ready for such attempts.
- Centralized visibility
As the traffic to your network spikes and becomes globally dispersed, a centralized network visibility program lends you the heft to weave a 360-degree view of your network layers into an intuitive configuration. This strategy helps optimize traffic management and tool utilization while empowering the IT team to locate new network visibility solutions to tackle security issues without downtime. This strategy also ensures there is no blind spot on the network, thereby improving the security posture.
How can consumers protect themselves against phishing and smishing attacks?
Smishing, just like phishing, targets human emotions. A recent report says that 82% of successful phishing (including smishing) attacks involved a lapse of judgment from a human. Cisco’s 2021 Cybersecurity threat trends report suggests that at least one person clicked a phishing link in around 86% of organizations. The company’s data indicates that phishing (including smishing) accounts for about 90% of data breaches.
Here are a few things you can do to ward off smishing attempts:
- Do not respond to suspicious messages; try to unsubscribe the channel/phone number sending it.
- If there is a sense of urgency in the text, slow down and read it thoroughly. Scan it for spelling or factual errors. Most scamming messages will have telltale signs of being phony; spelling mistakes are the most common. Also, seek confirmation from the brand sending the message.
- Do not click on the link in the message and keep your credit card and other sensitive details to yourself.
- Report a suspected phishing message to the proper authorities.
- Use network-based security such as Allot Secure, provided to CSPs, to prevent receiving smishing messages.
Allot’s 360-degree security solution against telco threats
Telcos increasingly face the double whammy of rising smishing attempts and increasing complexity. Communication service providers (CSPs) need a comprehensive solution to protect themselves from smishing. Allot is a leading security-as-a-service provider for CSPs, offering 360-degree protection. Being a network-based SECaaS, it is clientless and offers zero-touch deployment, making its adoption seamless. Customers are provided cybersecurity protection from malware and phishing (including smishing). Allot Secure portfolio is an amalgam of several products with a unified customer-centric experience across all platforms. All products within the portfolio enjoy a single unified management system – one policy and unified reporting and event handling. To learn more, contact us.