In the summer of 2022, a few Twilio employees received an odd text message. Through the messaging app Signal, threat actors tricked employees into giving away credentials, resulting in the compromise of over 130 connected organisations.
130 businesses breached from one text message. Ouch.
That kind of tactic is becoming all too common, with stolen credentials reaching the top of the list of initial access points. In recent years, there’s been an evolution of phishing around the technique seen in the Twilio breach: smishing.
What Is Smishing?
SMS (short messaging service) phishing or “smishing” is a common type of cyber attack where victims receive misleading text messages intended to trick them into providing credentials, access, valuable data, or even downloading malware onto a system. It is also called “cell phone phishing.” While the definition of smishing refers to the device on which the message arrives, the specifics can vary widely.
For individuals, a smishing attack may look like a text message from a threat actor pretending to be your bank and asking for information, or from a fake local political campaign prompting you to click on a link to learn more. Think of them as the text message version of the spam calls you may decline multiple times a day on your cell phone.
For organisations, however, smishing can look different and carry with it major consequences. In the case of Twilio, the threat actors used a trusted messaging service, Signal, and posed as a trusted source, the internal IT department. Trust building is key for gaining credentials, getting individuals to click links, or giving away organisational information. It could come in the form of a CFO asking for a financial account number or IT asking you to verify your login.
Smishing can be an isolated attack, or it can be used as a precursor to a larger attack, such as ransomware or business email compromise (BEC). It’s important to remember that users, as part of an organisation’s attack surface, can be targeted during multiple stages of a cyber attack.
Is Smishing a Form of Phishing?
Yes. Smishing is different from phishing only in that it utilises SMS messaging instead of email. All the nefarious tactics and tricks of a standard phishing attack, however, often remain the same.
Smishing is also similar to vishing, a phishing technique that utilises voice messages instead of texts or email. Think back to those spam calls, those are examples of vishing.
How Does a Smishing Attack Work?
A smishing attack starts with a threat actor gaining access to your mobile device number. From there it’s a series of steps that starts with a message and can end with stolen credentials, malware installed on your device, or worse.
- A cybercriminal sends you a text message, possibly from a spoofed number that makes it seem as though it’s coming from a legitimate business or individual, perhaps even one you’re familiar with, such as your bank or your boss.
- You receive the text message on your phone, or another messaging system. It warns you there is an urgent issue with one of your accounts and asks you to verify information to resolve it.
- You respond, often by clicking on a link, calling a phone number provided, or handing over credentials in an effort to clear up the error.
- You may then be directed to a phony website or call center that seems legitimate.
- You may be prompted to provide sensitive information or download some type of malware.
- If you download the malware, you’ve granted the attacker access to your device. Once they have access, they can use it to spy on you, steal sensitive information, or access your accounts. Any personal information you provide can be used to steal your identity and login to your accounts.
These kinds of attacks are used by threat actors because they’re consistently successful.
Here’s a few reasons why smishing works:
- Nearly every cell phone can receive texts
- Texts stand out and get viewed more than emails or phone calls
- Texts get your attention, and you may reply without thinking
- People often check text messages while they’re distracted doing other things
For organisations, an employee exploited by a smishing scheme can instantly open the network for hackers to hold data for ransom or steal sensitive information, both from the company itself and from connected businesses and individuals. This information can then be used to dupe countless other victims into giving up their money and personal information.
Risks of this magnitude can bring irreparable damage to your organisation’s reputation, which can cause you to lose credibility with your customers, spend countless hours on remediation, and experience potentially millions of dollars in damages.
Common Examples of Smishing Attacks
There are a few tactics cybercriminals come back to. In a business setting, they will often pose as someone from IT asking you to give credentials or verify a login. They may even pose as your boss or someone in the C-suite to get your attention and get you to respond without questioning the request.
In a non-business setting, examples of smishing include a fraudulent message from your bank, a political campaign text, a text from a business you frequent, or even someone posing as your friend, hoping you’ll just think you forgot to save their number.
The information these cybercriminals are after includes:
- Social Security numbers
- Credit or debit card numbers
- Zip codes, which helps them use your card if they already have the number.
- Bank names or credit card companies, which they can use later in tailored and personalised attacks.
- Work login information
- Work application information
- Customer and/or vendor information
- Device and network Information
How To Protect Against Smishing Threats
In the age of remote work and cloud-first systems, many employees may have access to important systems or assets directly from their cell phones. They may also, as the Twilio attack highlighted, use their phones to log in to assets, which can lead to hackers creating duplicates of domains. This is often referred to as a “domain attack.”
Even though smishing attacks are increasing, there are countermeasures organisations and individuals can take to stay safe.
Smishing Protection For Individuals
- Be wary of texts using unnatural or grammatically incorrect language, especially if they arrive from an unknown number.
- Avoid clicking on embedded links within text messages.
- Do not respond to texts appearing to be from a financial institution or merchant asking you to update your account information or provide personal info.
- If you get a message that looks to be from a bank or a company with whom you do business with that includes a link or request to provide information, call the business directly. Do not use the phone number provided in the text.
- Never click a link or call the phone number provided in a message if you’re unsure whom it’s from.
Smishing Protection For Organisations
- Implement a robust security training program that utilises effective content and training techniques as well as information and guidance regarding the newest threats individuals and organisations could face.
- Implement multi-factor authentication (MFA) and consider utilising hardware as part of that MFA, such as token for your device. This extra level of defense can be the difference between a thwarted attack and a data breach.
- Utilise a managed detection and response solution (MDR). While MDR can’t stop a smishing attack, it can detect unusual behavior on networks or endpoints, highlighting, and hopefully stopping, a credential theft-initiated attack.
It’s important to remember that users are a top target for smishing attacks, but they can also be the first line of defense. Learn how a strong security awareness training program can instill a culture of security and ramp up your organisation’s cyber defenses.