In the summer of 2022, a few Twilio employees received an odd text message. Appearing to be from the internal IT department, these messages suggested employees need to reset expiring passwords through a specific URL. However, neither the URL or the message was legitimate, and the threat actors controlled the URL. They essentially tricked employees into giving away credentials, resulting in the compromise of over 130 connected organizations .
This kind of attack is neither novel nor rare. Smishing, also called SMS phishing, is becoming more common as threat actors gain access to individuals’ phone numbers through the dark web, third-party hacks, or other means. Just recently the U.S. federal government issued a warning that Apple users were being targeted by smishing attacks, with threat actors looking to gain access to users’ Apple IDs. Having these credentials could allow threat actors to not only steal personal and financial information from individuals, but log into their business accounts and target entire organizations through subsequent attacks.
Living in an age where a smart phone is often within arm’s reach for most individuals has given threat actors an entire new avenue for attack, and they’re taking full advantage.
What Is Smishing?
Smishing is a common type of social engineering attack where victims receive misleading text messages intended to trick them into providing credentials, access, valuable data, or even downloading malware onto a system. While the definition of smishing refers to the device on which the message arrives, the specifics of how the attack occurs can vary.
For individuals, a smishing attack may look like a text message from a threat actor pretending to be a bank and asking for information or impersonating a local political campaign prompting the individual to click on a link to learn more.
For organizations, however, smishing can appear differently and carry with it major consequences. In the case of Twilio as previously mentioned, the threat actors used a trusted messaging service, Signal, and posed as a trusted source, the internal IT department, to carry out their attack. Building trust is key for gaining credentials, getting individuals to click links, or giving away operational information, and the threat actors did just that.
While smishing can be an isolated attack to gain credentials or steal money, it’s often utilized as a precursor to a larger attack, such as ransomware or business email compromise (BEC). In fact, AlphV, the notorious ransomware group, is known to use compromised credentials gained through social engineering tactics like smishing in their breaches. It can also come at later stages in an attack if a threat actor needs to gain privileged access and knows a user’s cell phone number who can be tricked into granting that access.
Smishing and Phishing
Smishing is different from phishing only in that it utilizes SMS messaging instead of email. All the nefarious tactics and tricks of a standard phishing attack , however, often remain the same, and smishing is often referred to as a subset of phishing. Both work within the general social engineering parameters of trying to lure a user into giving away access or valuable information. It’s also worth noting that, while similar in its techniques, smishing is not the same as vishing. Vishing uses voice calls, such as the one used to launch a ransomware attack on MGM Resorts in the summer of 2023.
Learn more about different social engineering attack types.
How Does a Smishing Attack Work?
A smishing attack starts with a threat actor gaining access to your mobile device number. From there it’s a series of steps that starts with a message and can end with stolen credentials, malware installed on your device, or access to valuable information.
A common smishing attack scenario goes like this:
1. A cybercriminal sends you a text message, possibly from a spoofed number that makes it seem as though it’s coming from a legitimate business or individual, perhaps even one you’re familiar with, such as your bank or a coworker at your organization.
2. You receive the message on your phone, and it describes an urgent issue with one of your accounts, asking you to verify information to resolve it.
3. You respond, often by clicking on a link, calling a phone number provided, or handing over credentials in an effort to clear up the error.
4. You may then be directed to a phony website or call center that seems legitimate.
5. You may be prompted to provide sensitive information or download some type of malware.
6. If you download the malware, you’ve granted the attacker access to your device. Once they have access, they can use it to spy on you, steal sensitive information, or access your accounts. Any personal information you provide can be used to steal your identity and login to your accounts.
These kinds of attacks are used by threat actors because they’re consistently successful. Smishing works for a few reasons, including:
- Nearly every cell phone can receive texts
- Texts stand out and get viewed more than emails or phone calls
- Texts gain attention, and users may reply without fully thinking about the content of the message
- People often check text messages while they’re distracted doing other things, which makes it easier for threat actors to trick users
For organizations, an employee exploited by a smishing attack can open the network for hackers to hold data for ransom or steal sensitive information, both from the company itself and from connected businesses and individuals. This information can then be used to dupe countless other victims into giving up their money and personal information, which is what makes them such a threat and such a valuable tool for threat actors.
Common Examples of Smishing Attacks
When it comes to smishing, there are a few tactics cybercriminals come back to. In a business setting, these threat actors will often pose as someone from IT asking a user to give credentials or verify a login. They may even pose as a boss or someone in the C-suite to garner attention and get the user to respond without questioning the request.
In a non-business setting, examples of smishing include a fraudulent message from a bank, a political campaign text, a text from a business the user frequents, or even someone posing as a friend.
The information cybercriminals are after in smishing attacks includes:
- Social Security numbers
- Credit or debit card numbers
- Zip codes, which helps them use your card if they already have the number.
- Bank names or credit card companies, which they can use later in tailored and personalized attacks.
- Work login information
- Work application information
- Customer and/or vendor information
- Device and network information
An example of a smishing attack would be a threat actor gaining the phone number of a well-connected employee at a target organization. The threat actor will text that user, possibly posing as IT staff, and ask for credential verification into a mission-critical application. If the user falls for the attack, the threat actor has gained access into the organization, allowing them to launch a sophisticated attack.
Learn more about how threat actors are targeting users and their identities.
How To Prevent Smishing
In the age of hybrid work, cloud-first systems, and identity-based applications, many employees may have access to important systems or assets directly from their cell phones, leading to an increase in smishing and other social engineering attacks.
Even though smishing attacks are omnipresent, there are countermeasures organizations and individuals can take to stay safe.
Smishing prevention for individuals includes:
- Be wary of texts using unnatural or grammatically incorrect language, especially if they arrive from an unknown number
- Avoid clicking on embedded links within text messages
- Do not respond to texts appearing to be from a financial institution asking you to update your account information or provide personal information
- If you get a message that looks to be from a bank or a company with whom you do business with, call the business directly from the phone number found on their website, not the phone number provided in the text
- Never click a link or call the phone number provided in a message if you’re unsure whom it’s from
Smishing prevention for organizations includes:
- Implement a robust security training program that utilizes effective content and training techniques as well as information and guidance regarding the newest threats individuals and organizations could face.
- Implement multi-factor authentication (MFA) or other access control measures. This extra level of defense can stop an incident if a threat actor gains credentials from a smishing attack.
- Utilize a managed detection and response solution (MDR). While MDR can’t stop a smishing attack, it can detect unusual behavior on networks or endpoints, highlighting, and hopefully stopping, a credential theft-initiated cyber attack.
See how Arctic Wolf Managed Detection and Response stops threats before they escalate.
Explore how threat actors are targeting identity and access management systems with attacks like smishing in the Arctic Wolf Security Operations Report.
