Malicious actors are always improving their methods of attacks, and smishing represents a new twist on an old trick. In a smishing attack, hackers will send out text messages to potential victims asking for information or action, such as contacting a fake email address. Smishing functions very similarly to phishing, and often the attack can be spotted with many of the same tips and tricks used to prevent phishing emails so long as employees are aware of this attack vector.
What is Smishing?
The term smishing is a combination of SMS and phishing, which reflects its use of text messages as a means of delivering phishing-like attacks, but malicious actors will now also use popular messaging apps that they know a business uses to perform smishing attacks. This attack can happen to anyone whose phone number has been leaked on the dark web, stolen in a security breach, or acquired through a public list of any kind. Malicious actors will leverage information they know about a company to make the attack seem more official, but they often have poor spelling, incorrect information, or obvious tells that they are an attack, just like phishing emails.
Common Tactics
Smishing tactics often take a wide-net approach and send text messages that may be unexpected but cause alarm that encourages the receiver to respond. For example, an attack may impersonate a health organization asking about COVID-19 contact tracing, which encourages the victim to give up personally identifiable information that could be used for later attacks. Additionally, smishing attacks can target a single business and impersonate a high-ranking team member with an urgent request, which will encourage employees to act before they realize the text message is part of a smishing attack. A successful attack can lead to sensitive information being leaked or the needed setup for a malware attack.
Prevention
Smishing prevention begins with awareness. Small businesses should work with a local IT consultant to provide their employees with the latest attack strategies that smishing campaigns are using in their industry. Some of the best practices for not falling for a smishing attack include not responding to unfamiliar numbers at all, taking the time to think through whether or not the request is expected or reasonable, and ensuring small details like names are correct. If there is any reason to believe a message is malicious, employees should reach out to the supposed message sender through a different communication method before taking any action.
Summary
While smishing attacks may not be new, for many people they can be a novel form of attack and therefore unexpected. A malicious text message can catch an employee off guard and cause them to act before they think, and this is one of the reasons malicious actors will use this attack to gain information or initial access to a network. By working with a local IT consultant, small businesses can ensure they have the proper training and security services in place to educate their employees and mitigate harm from successful attacks.
