As the threat landscape continues to evolve, new types of cyberattacks are coming to the fore. SMS phishing, or ‘smishing’, rose exponentially last year with incidents doubling in the US, while these attacks reportedly grew by 700% in the first six months of 2021 alone.
Smishing is a lucrative way of obtaining private data, such as banking information and other credentials, as users can be more trusting of text messages, or at least less vigilant when checking their messages (as opposed to emails) for potential scams. ‘Smishers’ are also particularly targeted in how they leverage basic information about their victims to deceive them into believing it has come from a trusted source.
Smishing is a two-fold threat
Organizations are only just waking up to the threat of phishing, which is now being seen as one of the biggest routes for ransomware attacks faced by global businesses, according to a recent Gigamon survey. However, smishing presents yet another business-critical cyber risk that many are underestimating. Employees are more likely to click on a malicious link via text, and especially so on personal devices. Considering we live in an age of hybrid working and Bring Your Own Device (BYOD) strategies, smishing not only poses a significant threat to individuals, but also their workplace.
Personal phones often do not have the same levels of security installed on them compared to devices issued by organizations and are naturally more likely to be used outside of working hours, and in a more relaxed environment when guards are down. However, if they are connected to company email accounts, internal servers or an intranet, it is not hard for a threat actor to pivot into the corporate network and quickly penetrate sensitive company data or critical IT infrastructure.
The smishing threat is therefore two-fold, comprising both a technology and a human factor. Firstly, personal devices are easier targets for cybercriminals who can pivot from personal phone to corporate network in minutes. Secondly, employees targeted via text message out of hours are unlikely to have cybersecurity and the protection of their organization front of mind. They are therefore more likely to fall victim to a smishing attack, that could affect their whole company, without realizing.
Four pillars for a combined smashing solution
This two-fold threat requires a four-pronged solution. When it comes to cybersecurity, there’s no single ‘silver bullet’ organizations can implement to combat security threats. A combined solution always offers the most comprehensive protection, and this is the same for smishing.
The four key pillars that organizations can implement to support and protect both devices and users from smishing attacks start with a device-centric approach. This should comprise constant device monitoring by security teams and be supported by Mobile Device Management (MDM).
It’s crucial that security teams are constantly monitoring and updating all devices within an organization. With the majority of cyberattacks occurring as a result of a security controls failure or an unpatched security vulnerability, it’s vital that security teams stay on top of the assets connected to their network. However, this is a mammoth task and
one that can be aided by ensuring MDM software is installed on all mobile devices used within an organization, both company-issued and
personal. Crucially, any company allowing BYOD strategies should look to introduce a mandatory policy insisting all personal devices receive a blend of cybersecurity controls, such as password-protection applications, a secure VPN and role-based access to enterprise data and email.
To accompany these two pillars, an approach oriented towards people is also recommended, combining mobile device security best practice with cyber awareness and training. Adopting purpose-built mobile device security is crucial to detect and protect against malware. Best practice should include guidance around which applications are safe to download and the importance of avoiding public Wi-Fi networks. However, while basic iOS and Android security and best practice guidance may stop accidental downloads of malware, there are no security controls on mobile operating systems that can prevent a user from sending their data to a hacker.
This is where cyber awareness training comes in. To address the human issue presented by smishing, adopting a security-first mindset across the entire organization is key. Staff training coupled with smishing simulations should be conducted frequently to reinforce the importance of strong cyber hygiene. Furthermore, the results of training programmes should be monitored, with additional training and support given to staff who are struggling. Not only does this help to improve cybersecurity awareness, but also promotes a supportive and collaborative environment, versus one of blame and finger-pointing that can often accompany an organization falling victim to a data breach.
The smishing threat is showing no sign of abating any time soon. As long as it continues to be a lucrative method of attack, cybercriminals will continue to target mobile devices and users who are too willingly handing over private data and compromising the organizations they work for. All is not lost, however. The good news is that a combined device and user-centric solution, bringing together four key pillars of cybersecurity, presents one of the best options to safeguard staff and organizations from smishers.
Ultimately, smishing is an issue of trust; employees sometimes being too trusting in the texts they receive and employers needing to be able to trust them to always keep cybersecurity front of mind. And for those occasions where a hacker does fall the cybersecurity net and launches a successful smishing attack, working with a trusted security partner can make all the difference. Not only can they assist with reactive support, helping to reduce downtime and limit the severity of an attack, but a security partner can also provide proactive advice to bolster an organization’s cybersecurity strategy.
Working with a partner, ensuring devices secured, monitored and continuously updated, and supporting employees more to become cyber aware and better trained to identify smishing attempts, all collectively helps to deter bad actors and improve the threat landscape.