Smishing: Overcoming a two-fold threat with a four-pronged solution.


As the threat landscape continues to evolve, new types of cyberattacks are coming to the fore. SMS phishing, or ‘smishing’, rose exponentially last year with incidents doubling in the US, while these attacks reportedly grew by 700% in the first six months of 2021 alone.

Smishing is a lucrative way of obtaining private data, such as banking information and other credentials, as users can be more trusting of text messages, or at least less vigilant when checking their messages (as opposed to emails) for potential scams. ‘Smishers’ are also particularly targeted in how they leverage basic information about their victims to deceive them into believing it has come from a trusted source.

Smishing is a two-fold threat

Organizations are only just waking up to the threat of phishing, which is now being seen as one of the biggest routes for ransomware attacks faced by global businesses, according to a recent Gigamon survey. However, smishing presents yet another business-critical cyber risk that many are underestimating. Employees are more likely to click on a malicious link via text, and especially so on personal devices. Considering we live in an age of hybrid working and Bring Your Own Device (BYOD) strategies, smishing not only poses a significant threat to individuals, but also their workplace.

Personal phones often do not have the same levels of security installed on them compared to devices issued by organizations and are naturally more likely to be used outside of working hours, and in a more relaxed environment when guards are down. However, if they are connected to company email accounts, internal servers or an intranet, it is not hard for a threat actor to pivot into the corporate network and quickly penetrate sensitive company data or critical IT infrastructure.

The smishing threat is therefore two-fold, comprising both a technology and a human factor. Firstly, personal devices are easier targets for cybercriminals who can pivot from personal phone to corporate network in minutes. Secondly, employees targeted via text message out of hours are unlikely to have cybersecurity and the protection of their organization front of mind. They are therefore more likely to fall victim to a smishing attack, that could affect their whole company, without realizing.

Four pillars for a combined smashing solution

This two-fold threat requires a four-pronged solution. When it comes to cybersecurity, there’s no single ‘silver bullet’ organizations can implement to combat security threats. A combined solution always offers the most comprehensive protection, and this is the same for smishing.

The four key pillars that organizations can implement to support and protect both devices and users from smishing attacks start with a device-centric approach. This should comprise constant device monitoring by security teams and be supported by Mobile Device Management (MDM).

It’s crucial that security teams are constantly monitoring and updating all devices within an organization. With the majority of cyberattacks occurring as a result of a security controls failure or an unpatched security vulnerability, it’s vital that security teams stay on top of the assets connected to their network. However, this is a mammoth task and

one that can be aided by ensuring MDM software is installed on all mobile devices used within an organization, both company-issued and

personal. Crucially, any company allowing BYOD strategies should look to introduce a mandatory policy insisting all personal devices receive a blend of cybersecurity controls, such as password-protection applications, a secure VPN and role-based access to enterprise data and email.

To accompany these two pillars, an approach oriented towards people is also recommended, combining mobile device security best practice with cyber awareness and training. Adopting purpose-built mobile device security is crucial to detect and protect against malware. Best practice should include guidance around which applications are safe to download and the importance of avoiding public Wi-Fi networks. However, while basic iOS and Android security and best practice guidance may stop accidental downloads of malware, there are no security controls on mobile operating systems that can prevent a user from sending their data to a hacker.

This is where cyber awareness training comes in. To address the human issue presented by smishing, adopting a security-first mindset across the entire organization is key. Staff training coupled with smishing simulations should be conducted frequently to reinforce the importance of strong cyber hygiene. Furthermore, the results of training programmes should be monitored, with additional training and support given to staff who are struggling. Not only does this help to improve cybersecurity awareness, but also promotes a supportive and collaborative environment, versus one of blame and finger-pointing that can often accompany an organization falling victim to a data breach.

Looking ahead

The smishing threat is showing no sign of abating any time soon. As long as it continues to be a lucrative method of attack, cybercriminals will continue to target mobile devices and users who are too willingly handing over private data and compromising the organizations they work for. All is not lost, however. The good news is that a combined device and user-centric solution, bringing together four key pillars of cybersecurity, presents one of the best options to safeguard staff and organizations from smishers.

Ultimately, smishing is an issue of trust; employees sometimes being too trusting in the texts they receive and employers needing to be able to trust them to always keep cybersecurity front of mind. And for those occasions where a hacker does fall the cybersecurity net and launches a successful smishing attack, working with a trusted security partner can make all the difference. Not only can they assist with reactive support, helping to reduce downtime and limit the severity of an attack, but a security partner can also provide proactive advice to bolster an organization’s cybersecurity strategy.

Working with a partner, ensuring devices secured, monitored and continuously updated, and supporting employees more to become cyber aware and better trained to identify smishing attempts, all collectively helps to deter bad actors and improve the threat landscape.

Nutanix on OVHcloud US Offers a Hybrid Multicloud Solution

Joon Lee • 11th September 2023

Nutanix is a leading cloud computing software company that helps companies simplify their cloud strategies by using hyperconverged infrastructure (HCI) environments. Hyperconvergence is a software-centric architecture that tightly integrates compute, storage, networking, and virtualization resources and other technologies on commodity hardware servers supported by a single vendor.

OVHcloud Is at the Forefront of the Data Revolution

Karen Kokiko • 11th September 2023

Information technology is going through a digital transformation and reshaping how we do business, how we interact, how we make decisions, and how we influence our society. OVHcloud® is at the forefront of this data revolution, standing apart from the competition with a strong commitment to creating a level playing field and the opportunity for...

Right Sizing & Workload Optimization in the Cloud

Joon Lee • 11th September 2023

Organizations facing the challenges of scaling their cloud infrastructure can achieve improved performance by implementing the principles of right sizing their infrastructure. This practice is essential for optimizing cloud infrastructure and enhancing its overall effectiveness. In this guide, we will discuss the benefits of right sizing, including optimizing costs, eliminating waste and improving performance. We’ll...

OVHcloud Is at the Forefront of the Data Revolution

Karen Kokiko • 11th September 2023

Information technology is going through a digital transformation and reshaping how we do business, how we interact, how we make decisions, and how we influence our society. OVHcloud® is at the forefront of this data revolution, standing apart from the competition with a strong commitment to creating a level playing field and the opportunity for...

Can Europe take on the US Cloud giants?

Richard Hilton • 30th August 2023

With so many issues coming up about cloud storage, what is the solution to the dominance of the major giants like AWS (32%), Microsoft (23%) and Google (10%) taking 65% of the world cloud market?

The race to dominate the AI space

Kevin Cole • 24th August 2023

The launch of Chat GPT-4 in March of this year provided the catalyst for a conversation that has been gaining momentum for some time now: How will artificial intelligence (AI) change the world?