Smishing: Overcoming a two-fold threat with a four-pronged solution.

building

As the threat landscape continues to evolve, new types of cyberattacks are coming to the fore. SMS phishing, or ‘smishing’, rose exponentially last year with incidents doubling in the US, while these attacks reportedly grew by 700% in the first six months of 2021 alone.

Smishing is a lucrative way of obtaining private data, such as banking information and other credentials, as users can be more trusting of text messages, or at least less vigilant when checking their messages (as opposed to emails) for potential scams. ‘Smishers’ are also particularly targeted in how they leverage basic information about their victims to deceive them into believing it has come from a trusted source.

Smishing is a two-fold threat

Organizations are only just waking up to the threat of phishing, which is now being seen as one of the biggest routes for ransomware attacks faced by global businesses, according to a recent Gigamon survey. However, smishing presents yet another business-critical cyber risk that many are underestimating. Employees are more likely to click on a malicious link via text, and especially so on personal devices. Considering we live in an age of hybrid working and Bring Your Own Device (BYOD) strategies, smishing not only poses a significant threat to individuals, but also their workplace.

Personal phones often do not have the same levels of security installed on them compared to devices issued by organizations and are naturally more likely to be used outside of working hours, and in a more relaxed environment when guards are down. However, if they are connected to company email accounts, internal servers or an intranet, it is not hard for a threat actor to pivot into the corporate network and quickly penetrate sensitive company data or critical IT infrastructure.

The smishing threat is therefore two-fold, comprising both a technology and a human factor. Firstly, personal devices are easier targets for cybercriminals who can pivot from personal phone to corporate network in minutes. Secondly, employees targeted via text message out of hours are unlikely to have cybersecurity and the protection of their organization front of mind. They are therefore more likely to fall victim to a smishing attack, that could affect their whole company, without realizing.

Four pillars for a combined smashing solution

This two-fold threat requires a four-pronged solution. When it comes to cybersecurity, there’s no single ‘silver bullet’ organizations can implement to combat security threats. A combined solution always offers the most comprehensive protection, and this is the same for smishing.

The four key pillars that organizations can implement to support and protect both devices and users from smishing attacks start with a device-centric approach. This should comprise constant device monitoring by security teams and be supported by Mobile Device Management (MDM).

It’s crucial that security teams are constantly monitoring and updating all devices within an organization. With the majority of cyberattacks occurring as a result of a security controls failure or an unpatched security vulnerability, it’s vital that security teams stay on top of the assets connected to their network. However, this is a mammoth task and

one that can be aided by ensuring MDM software is installed on all mobile devices used within an organization, both company-issued and

personal. Crucially, any company allowing BYOD strategies should look to introduce a mandatory policy insisting all personal devices receive a blend of cybersecurity controls, such as password-protection applications, a secure VPN and role-based access to enterprise data and email.

To accompany these two pillars, an approach oriented towards people is also recommended, combining mobile device security best practice with cyber awareness and training. Adopting purpose-built mobile device security is crucial to detect and protect against malware. Best practice should include guidance around which applications are safe to download and the importance of avoiding public Wi-Fi networks. However, while basic iOS and Android security and best practice guidance may stop accidental downloads of malware, there are no security controls on mobile operating systems that can prevent a user from sending their data to a hacker.

This is where cyber awareness training comes in. To address the human issue presented by smishing, adopting a security-first mindset across the entire organization is key. Staff training coupled with smishing simulations should be conducted frequently to reinforce the importance of strong cyber hygiene. Furthermore, the results of training programmes should be monitored, with additional training and support given to staff who are struggling. Not only does this help to improve cybersecurity awareness, but also promotes a supportive and collaborative environment, versus one of blame and finger-pointing that can often accompany an organization falling victim to a data breach.

Looking ahead

The smishing threat is showing no sign of abating any time soon. As long as it continues to be a lucrative method of attack, cybercriminals will continue to target mobile devices and users who are too willingly handing over private data and compromising the organizations they work for. All is not lost, however. The good news is that a combined device and user-centric solution, bringing together four key pillars of cybersecurity, presents one of the best options to safeguard staff and organizations from smishers.

Ultimately, smishing is an issue of trust; employees sometimes being too trusting in the texts they receive and employers needing to be able to trust them to always keep cybersecurity front of mind. And for those occasions where a hacker does fall the cybersecurity net and launches a successful smishing attack, working with a trusted security partner can make all the difference. Not only can they assist with reactive support, helping to reduce downtime and limit the severity of an attack, but a security partner can also provide proactive advice to bolster an organization’s cybersecurity strategy.

Working with a partner, ensuring devices secured, monitored and continuously updated, and supporting employees more to become cyber aware and better trained to identify smishing attempts, all collectively helps to deter bad actors and improve the threat landscape.

WAICF – Dive into AI visiting one of the most...

Delia Salinas • 10th March 2022

Every year Cannes held an international technological event called World Artificial Intelligence Cannes Festival, better known by its acronym WAICF. One of the most luxurious cities around the world, located on the French Riviera and host of the annual Cannes Film Festival, Midem, and Cannes Lions International Festival of Creativity. 

Bouncing back from a natural disaster with resilience

Amber Donovan-Stevens • 16th December 2021

In the last decade, we’ve seen some of the most extreme weather events since records began, all driven by our human impact on the plant. Businesses are rapidly trying to implement new green policies to do their part, but climate change has also forced businesses to adapt and redefine their disaster recovery approach. Curtis Preston,...