Smishing, which typically uses text messages to defraud people into sharing sensitive personal information, is on the rise.
In this blog, we discuss why smishing is increasing and what you can do to reduce the risks to your organisation and employees.
What is smishing?
Smishing is a form of phishing that uses text messages to trick recipients into disclosing personal information or downloading mobile malware. “Smishing” is a portmanteau, which combines “SMS” (short message services or texting) and “phishing”. Despite its name, it is not limited to text messaging and now includes mobile messaging apps, such as Facebook Messenger and WhatsApp.
How smishing works
Smishing begins with messages being sent to victims purporting to be from a reputable source, such as a bank or government body. Victims are tricked into sharing sensitive information, which is then used to gain access to financial resources or valuable data. It targets individuals but is often used as part of broader campaigns to compromise a company, with attackers seeking to gain access to networks and data.
Smishing is on the rise
In 2021, smishing attacks increased by almost 700%. The UK suffered the majority of attacks, with the number of reports being 15 times higher than those in the U.S. The overall surge was suspected to be linked to the rise in parcel deliveries during the pandemic, as lockdown restrictions increased the use of e-commerce and delivery services, many of which use text message notifications. While parcel and package delivery scams accounted for 67.4% of smishing attempts in 2021, smishing impersonating banks and financial services was less common.
More recently, there has been a 500% increase in mobile malware infections throughout Europe since the start of February 2022. There has also been a notable increase in attacks using mobile messaging, including smishing attacks.
The threat is now so serious that the National Cyber Security Centre (NCSC) recently published new guidance for companies to ensure that they are communicating with their audience securely and effectively when using text messaging services.
How to protect your organisation against smishing
With the smishing threat remaining prominent, there are a number of steps your organisation can take to respond effectively:
Apply access control: A comprehensive policy of least privilege across your organisation is a vital aspect of cyber defence. Ensuring that employees only have access to the company assets appropriate to their role and level will help to minimise the risks if they then inadvertently share authentication data further down the line.
Adopt a secure BYOD policy: If your employees use their personal smartphones for work, ensure that you have a clear bring your own device (BYOD) policy, which clearly outlines how they should respond to suspicious text messages.
Encourage reporting: Set a company policy that encourages employees to update your security team as soon as they receive what they believe is a smishing attempt. Reporting these types of incidents to mobile services providers also helps to reduce smishing campaigns.
Set out response plans: Develop a quick and actionable strategy to enable your organisation to act fast in the event of a smishing attack and the consequent access to your company’s data and other assets.
Adopt effective technical solutions/mitigations: Set up key technical mitigations and regularly check them to ensure that they are configured correctly. These can include endpoint detection and response (EDR) and NextGen AV and mail servers.
Provide support and training: Ensure your employees are kept up-to-date about smishing, and training and awareness covers the following advice:
- Be vigilant about any text that requires an urgent response as this is often a red flag for smishing behaviour.
- Do not reply to suspicious text messages, even to reply “Unsubscribe” or “Stop” as this could alert attackers to the fact that your phone number is in use.
- Avoid using hyperlinks shared in text messages, even if you know it’s from a trustworthy source.
- Be careful about responding to text messages that are long or complicated as legitimate messages tend to be short and concise.
- Never reply to text messages from phone numbers with the number “5000” as this is linked to email-to-text services and is one of the ways in which social smishers hide their phone numbers.
- Be particularly vigilant if a text asks for personal information as genuine organisations would not ask for this.
How Kroll can help
As a leading provider of end-to-end cyber risk management services, Kroll is well-placed to help your organisation minimise and mitigate the risks of smishing and other forms of social engineering. Whatever your security challenges, our global team of experts are here to help.