Nigel Seddon, VP of EMEA West, Ivanti, looks at the rise of smishing and what companies can do to mitigate it.
With more and more employees working remotely and using company smartphones to maintain business productivity and connectivity, smishing attacks are on the rise. Short for SMS phishing, smishing has become commonplace in both our professional and personal lives, with 36 million Brits over the last year being duped into downloading a virus or malware onto their mobile devices, granting hackers easy access to sensitive data.
Like phishing emails, smishing aims to deceive users into giving up valuable information by convincing the recipient that the message has come from a trusted source. In fact, recent Google search data found that Royal Mail smishing scams had a 1,077% in UK in 2020. March 2021 alone saw a 645% increase in Royal Mail-related phishing scams, according to security firm Check Point.
Smishing attacks are of particular concern, as people are more trusting and responsive to text messages than email. Only 1 in 4 emails are opened by consumers, whereas 82% of text messages are read within five minutes. Despite these types of scams being around for decades, typically exploiting email accounts, dramatic rise in smishing attacks over the past couple of years, especially during the pandemic, should concern cybersecurity professionals.
Exploiting our trusting nature: Savvy hacker’s praying on our smishing vulnerability
Smishing attacks aren’t a new concept. They have been around for years. However, smishing is more worrisome for IT security in the post-covid era.
Why? Workers have adapted to deal with common phishing emails by blocking email phishing on corporate-owned PCs or utilising their spam box filter to triage potential threats and are more adept in spotting the tell-tale signs. But today’s remote workers are now using their personal smartphones to access a mix of corporate and personal apps and data. As of 2021, 3.8 billion users around the world now carry smartphones. Devices are everywhere, providing a vast exploitable threat landscape for hackers.
Thanks to lockdown one, two, three, everyone uses their mobiles more. According to a survey conducted in February 2021, nearly half of the respondents stated that on average they spent five to six hours on their phone daily, not including work-related smartphone use. But we also rely on them more for work. 72% of employees agree that their mobile device has been important to ensuring their productivity during lockdown.
Ultimately, there’s just no straightforward way to verify the authenticity of URLs on smartphones, so users can just click and trigger a cyber-attack.
Red alert: Staying “switched on”.
Many businesses still aren’t training their staff on cybersecurity basics and employers are being urged to introduce security awareness training and order to deal with the “smishing pandemic”.
According to the UK Government’s Cyber Security Breaches Survey report, only 14% of businesses train staff on mobile device cybersecurity and only one in five have tested staff’s response to cyber incidents. This is particularly worrying as many businesses continue to allow employees to use their personal devices for work-related tasks.
Throughout 2021, a fraud alert was exposed involving fake texts from the NHS telling people they were eligible for their Covid-19 vaccination. This URL then took users to a convincing, yet false, NHS website that asked for personal details – unfortunately, these types of scams are exposed daily and are ever-increasing.
Recognising fraudulent text messages is no easy task. It is important that CISOs train all staff, regardless of their department, to feel comfortable reporting even the smallest mistake, such as clicking on a spam link. This can be done by establishing a simple protocol for reporting smishing incidents.
IT leaders should also conduct smishing awareness training that will help employees recognise phishing scams before they fall victim to them. Arranging for cybersecurity experts come to the office to do a training session for all employees, or even asking HR departments to conduct seminars for staff goes a long way.
While structured annual or semi-annual cybersecurity awareness training is recommended, employees should also receive on-the-fly phishing/smishing awareness training when an attack occurs. If an employee clicks on a phishing link, they should receive immediate feedback and additional training. Staying on top of company phishing/smishing training is the key to success.
A CISO’s essential guide to employee mobile security.
In December 2020, Ivanti, commissioned an independent research study to gain a better understanding of CISO priorities. It revealed that 87% of CISOs across EMEA said that securing mobile devices is now the focal point of their cybersecurity strategies. This is largely due to the 52% rise in SMS delivery scams in the UK over the last 12 months, where cyber actors would dupe people into divulging their credentials, including passwords.
According to Verizon’s 2020 Data Breach Investigation Report, compromised passwords are responsible for 81% of all hacking-related data breaches. Eliminating passwords in favour of multifactor authentication (MFA) is one of the easiest things CISOs can do now to help remote workforces stay productive while minimising security threats. By requiring biometrics or other factors for authentication, IT can reduce the “phishability” of login credentials. MFA also dramatically improves the user experience by eliminating the need to type complex and easily forgotten passwords on small screens.
Hyper automation is the key to the success of IT departments in the wake of the pandemic. While many organisations have been making investments in security awareness training initiatives, they should also be prioritizing and applying advanced automation, artificial intelligence, and machine learning technologies to more quickly and consistently identify, verify, and remediate phishing threats.
- The power of AI in accelerating growth
- Why developers are our best defence against cyberattacks
- Unified data drives the factory of tomorrow
- CTOs share advice to their 25-year-old selves
CISOs know they can’t just rely on fallible, distracted humans to thwart cybercriminal activity. A comprehensive and “always-on” mobile-security approach that can detect and prevent mobile threats without affecting employee access should be at the top of every CISO’s to-do list in the year ahead.
For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!