Could text messaging be the hackers new favorite avenue of attack?
Call it what you want: text scams, text phishing, sms phishing.
OR spell it how you want: Smshing or Smishing.
No matter what you call it or how you spell it, it has become an increasingly popular way for the bad guys to get to you, their victim. And these bad guys have been able to easily increase their number of targets by using robots to spread their attacks like wildfire!
With the number of attacks on the rise, you’re sure to have received some yourself.
While you may find some smishing messages obvious — like the CEO you’ve never spoken to texting you a message asking for credentials or even credit card information — there are others that may catch your attention and say the exact right thing to get you to believe it is a legitimate message.
The bad guys are using smishing to go after your personal information as well as, targeting employees due to their access to credentials and other important organization data.
It’s scary to think that a simple text response can be the difference between a failed attack and a full-scale data breach.
With so much at risk, let’s dig into the details of Smishing so you can walk away more confident to protect yourself, those around you, and your organization.
What Is Smishing?
SMS (short messaging service) phishing or “smishing” is a common type of cyberattack where victims receive misleading text messages intended to trick them into providing credentials, access, valuable data, or even downloading malware onto a system. It can also be called cell phone phishing. The most common successful smishing attacks were able to gain access to customer or client data (54%), credentials or accounts (48%), and systems to launch a ransomware attack (46%).
Smishing v. Vishing
Both smishing and vishing are both types of phishing attacks performed over the phone. The difference is that smishing uses texts while vishing uses voice calls or voicemails.
Examples of Smishing Attacks
Bad guys are going to make multiple attempts to trick you and they aren’t going to use the same message each time.
This is a game of chance to them.
They know that each message they send won’t tempt everyone.
A message that says “this headline speaks for itself” with a link may not trick you into clicking, but perhaps a text with a link to tracking a package might. The bad guys know they need to try to trick many people with many different messages because while one message may not trick you, a different one might. Passion clouds your perception. If you are particularly passionate about a subject, type of product, you will WANT the message to be true and allow your curiosity or hope to get the better of your sound judgement and click a link you shouldn’t.
For me, I love camping, which means any message that offers me any free camping gear steps out of the category of “blatant scam” in my mind and enters into the category of “did I really win this? I’d hate to miss out if it’s real.”
The bad guys know this.
They know if they keep sending message after message, eventually they will send you one that appeals to you and tricks you.
In order to build up your defenses and your suspicions of smishing, here are some examples of what smishing attacks look like:
1. “You’ve Won!”
Generic texts that claim you’ve won, that don’t include information about what you’ve won, and where it’s from should be a complete red flag. Also, ask yourself if you entered a contest recently. The reality is, and I’m sorry to inform you that your streak of bad luck is continuing, but, YOU DIDN’T WIN. (Even though you’re a winner in my book!) So don’t click!
2. Company-wide texts asking everyone to login, or update your password.
Know your company’s communication methods. Check with your IT team to see if they would ever communicate with you over text message on something so important. And, if you’re a company, get ahead of this…make sure your employees know how you will communicate with them. Don’t wait until they come to you with a scam text to tell them, “No, we don’t communicate with you in that way.”
3. “Your favorite Candidate needs your support”
Campaign related texts. YIKES! They are enough to fire up the politically charged into clicking links to ‘sign petitions’, ‘donate to the campaign’, or even just click on a link that they think will take them to an ‘article that proves once and for all that the opposing party is finally revealed to be evil.’ You should definitely get out there and vote and do what you’d like to support your party, but never click on any politically related texts from numbers you don’t know!
-My name is Nathan Caldwell and I approve this smishing warning.
4. “Shocking News Headline”
Here’s a word for word scam message I received the other day: “I think I’m going to be sick…. I hate to be the bearer of bad news, but this headline speaks for itself: (scam link here) -John”
This scam uses vague and shocking language as well as a person’s name to pull you into the temptation of wanting to know what they are talking about.
Don’t fall for it. Don’t be tempted to get your news sources from links that strangers are sending you in your text messages.
5. “Sign-in alert, Tap Link”
Make sure you have MFA (multi-factor authentication) set up on your accounts and if you get a text warning that someone tried to sign-in to your bank account or Amazon account from another state, don’t click on the link in the text.
If you get the warning and an MFA request, don’t click the link AND don’t approve the MFA. Be sure to visit the official site of your account, and update your password.
6. “Track Your Package”
If you aren’t expecting a package, don’t click on it. Also, if you’re absolutely curious, head to the official USPS, UPS or Fedex sites and enter the tracking number there. Or, live life on the edge and just ‘wait and see’ if a package shows up at your door, you know, like they did back in the wild, wild west!
7. Ask you to provide information to a government agency.
According to the FCC, government bodies almost never contact you by phone or text to ask you to provide information.
8. Offer coronavirus-related testing, treatment, or stimulus money, or request personal information to use for contact tracing.
There are many other example types we could cover, but hopefully these are enough to increase your resilience to resist the temptation to click on links from strangers in your text messages.
To see how some of these scam types have actually worked and played out, take a look at a few real security incidents that happened as the result of smishing.
High-Profile Smishing Examples
Twilio Employees Targeted For Credentials
In this smishing attack, bad guys were able to obtain the cell phone numbers of multiple employees at Twilio and Cloudflare. The employees were then sent a text prompting them to log into their Okta accounts via a link in the message. The link led to a fake domain identical to the Okta login page. If an employee entered their Okta credentials, those credentials were sent to the bad guys on a Telegram chat, effectively granting them access to systems without the employee ever knowing what happened. While multiple employees of Twilio fell for the scheme, it should be noted that a multi-factor authentication system that utilizes hardware stopped any Cloudflare credentials from compromise.
Hackers Text Bank Of Ireland Customers
In 2020, the Bank of Ireland became aware that a group was sending text messages to customers posing as representatives of the bank. These texts had asked individuals to provide bank account information. The bank ended up having to pay for the mistakes of over 300 customers who had fallen for this one attack. Attacks like this, that ask individuals for financial information, are a common form of both phishing and smishing.
What a Smishing Scheme Typically Looks Like
- A cybercriminal sends you a text message, possibly from a spoofed number that makes it seem as though it’s coming from a legitimate business, perhaps even one you’re familiar with as a customer.
- You receive the text message on your phone, or another messaging system. It warns you there is an urgent issue with one of your accounts and asks you to verify information to resolve it.
- You respond, often by clicking on a link or calling a phone number provided, in an effort to clear up the error
- You’re then directed to a phony website or call center that seems legititmate.
- You may be prompted to provide sensitive information or download some type of malware.
- If you download the malware, you’ve granted the attacker access to your device. Once they have access, they can use it to spy on you, steal sensitive information, or access your accounts. Any personal information you provide can be used to steal your identity and login to your accounts.
Why Do Smishing Messages Work?
Smishing has been working so well for the bad guys because text messages increase their chances of getting their message to their target.
1. Nearly every cell phone can receive texts:
Texts get more attention than emails or phone calls.
2. Texts stand out and get viewed more than emails or phone calls.
Speaking from my personal experience yet again, I currently have 0 unread texts BUT I have 105 untouched voicemails and in just one of my inboxes I have 16,143 unread emails (which doesn’t include the number of messages filtered into other folders/spam/or the number of messages that were stopped by gateways).
3. Texts Get Your Attention But Your Replies Don’t.
While you may give priority to looking at text messages, it’s not as common for you to take the time to give careful thought to engaging or replying to a text message.
4. We often check text messages with limited attention.
Whenever we get a buzz on our phone, we often check our texts, we could be in the middle of a meal, in the middle of a meeting, walking down the hall, doing a number of activities and we will still check a text. This means we are easy prey for bad guys because if we’re distracted or in a hurry to read or engage with a text, then our guard will also be down!.
What are Smishing Scammers Trying To Get?
Most cybercriminals engaged in smishing are out to steal your personal data, which they can then leverage to steal money from you or your company, use as their pathway into your network of connections, or use as their pathway into the systems within your organization.
The information may include your:
- Social Security Number.
- Credit or debit card numbers.
- Zip code, which helps them use your card if they already have the number.
- Bank name or credit card company, which they can use later in tailored and personalized attacks.
- Work login info.
- Work application information (finding out if you use Outlook or Gsuite in your office for example)
- Chart Information (so they know who they can pose as and make their deception more believable)
- Customer and/or Vendor information (so they can use it to scam your finance team)
- Device and Network Information
When Smishing Is Business And Personal
As companies increasingly adopt bring your own device (BYOD) policies and more employees use their personal smartphones for work, smishing has emerged as not only a consumer threat but a business risk as well. In addition, 56% of respondents to Arctic Wolf’s “State Of Cybersecurity Trends: 2022” survey stated they were unable to adequately manage risk or develop a risk management program in their organization. This leaves open a wide gap for smishing attacks.
The Consequences of A Successful Smishing Attack
The effects of smishing are vast. On a personal level, attackers can wipe out your bank accounts or deceive you into sending them large sums of money. On a macro level, smishing attacks make it more difficult for financial institutions and other service providers to engage in trusted communications with customers via text messaging.
For organizations, an employee exploited by a smishing scheme can instantly open the network for hackers to hold data for ransom or steal sensitive information, both from the company and from customers. This information can then be used to dupe countless other victims into giving up their money and personal information. Vulnerabilities of this magnitude can bring irreparable damage to your organization’s reputation, which causes you to lose credibility with your customers, spend countless hours on remediation, and experience potentially millions of dollars in damages.
How To Defend Against Smishing Attacks
The ubiquity of mobile phone usage, along with the growing number of consumers whose phone numbers have been leaked in data breaches, has contributed to the proliferation of smishing. In addition, in the age of remote work and cloud-first systems, many employees may have access to important systems or assets directly from their cell phones. They may also, as the Twilio attack highlighted, use their phones to login to assets, which can lead to hackers creating duplicates of login domains. This is often referred to as a domain attack.
Even though these attacks are increasing, there are counter measures both organizations and individuals can take to stay safe.
What Can Individuals Do to Stay Safe From Smishing Attacks?
- Be wary of texts using unnatural or grammatically incorrect language, especially if they arrive from an unknown number.
- Avoid clicking on embedded links within text messages.
- Do not respond to texts appearing to be from a financial institution or merchant asking you to update your account information or provide personal info.
- If you get a message that looks to be from a bank or a company with whom you do business with a link or request to provide information, call the business directly. Do not use the phone number provided in the text.
- Never click a link or call the phone number provided in a message if you’re unsure whom it’s from.
What Can Organizations Can Do to Stay Safe from Smishing Attacks:
- Conduct smishing simulations are part of your security awareness training. Such simulations help educate employees on how to identify and react appropriately to these attacks and enable the company’s security team to home in on individual users who may be particularly vulnerable and require additional training.
- Implement multi-factor authentication and consider utilizing hardware as part of that MFA. For Cloudflare, the use of a physical item (a fob in employee computer’s USB ports) prevented the hackers from gaining Okta credentials. This extra level of defense can be the difference between a thwarted attack and a data breach.
- If you suspect you’ve fallen victim to a smishing scam, immediately contact the United States Federal Trade Commission (FTC) to file a complaint. The FTC works to prevent fraudulent, deceptive, and unfair business practices in the marketplace. It also provides information to help consumers spot, stop, and avoid such practices.
The Biggest Sign You’re A Smishing Target
1.You have a mobile phone.
That’s right, if you can receive text messages. You’re likely to be a target for smishing
So what can you do about it?
Taking proactive steps to learn to recognize smishing, avoid clicking on the links, delete the messages, and warn others around you about the scam so they also avoid it.
Education is the best defense to personally protect yourself and to protect your organization, so we always recommend utilizing a managed security awareness program to educate employees on the dangers of smishing schemes. Arctic Wolf’s Managed Security Awareness® prepares your employees to recognize and neutralize social engineering attacks and human error.
Learn more about Managed Security Awareness.