Watching out for smishing, another social engineering schema used by threat actors
We’ve discussed the dangers of vishing and how modernization with remote resources makes them dangerous. But in the realm of social engineering, there are other dangers too. Smishing is one of them, another type of hack attempt whereby impersonators use SMS and text messages to potentially breach business networks and harm recipients.
Smishing, though not new in concept, has seen a resurgence since the Coronavirus pandemic and widespread adoption of remote networks and utilities. Workers do not have the same checks and balances to identify malicious users or activity. IT workers and security specialists are also not on standby to verify incoming connections and messages. Therefore, the chances of a remote worker (or any staff member) falling victim to a smishing attack increases.
Smishing messages will contain links to malicious websites and/or malware. When aimed at business networks, they seek credentials granting them lateral network access and administrator privileges. When targeting individuals, the goal of smishing is to steal personal account credentials such as bank account details or passwords.
Recognizing the signs of a smishing attempt
It can be difficult to properly identify a smishing attempt without the right knowledge. While IT experts know what to look for, a remote worker is less likely to catch obvious smishing attempts.
There are several ways smishing messages attempt to deceive the recipient, all of which are red flags and should be looked out for.
Exploiting Trust – Social engineering relies on deception. Using trusted names, addresses, and relationships is a handful of ways threat actors attempt to bypass safeguards. An unwary staff member may not catch discrepancies in a text sent from a “safe” contact, like an IT management lead.
Personalization – Hackers may use context-sensitive info collected from various websites and social media to appear legitimate. The use of related occurrences or familiar information is another way to deceive recipients into clicking untrusted links or downloading programs.
Emotional Deception – Urgency is a core part of social engineering. The use of causing alarm or fear to rush the reader into a prompted action increases the chance a smishing attempt will succeed. It could relate to “account information” or alerts regarding security.
Even with these context clues, it’s not clear whether a message is a smishing attempt or not. Workers will need to practice caution and err on the side of safety before responding to unknown messages. Security professionals recommend “trust until verified” as a driving philosophy when defending against social engineering.
How do attackers choose their targets?
Preventing successful smishing attempts (and by proximity additional forms of social engineering) means understanding how they choose targets. Threat actors will always select targets they believe are weakest and most susceptible to social engineering techniques.
Hackers will also research and observe the relationship of a business to its relevant partners. For example, if your SMB relies on Office 365 software suites, smishing attempts will imitate messages and alerts related to Microsoft. Any institutional relationship is levied to increase the chances of successful deception. Everyone is a target if they have a professional relationship, ranging from business ventures, medical data, and even school networks.
Smishing attempts can appear to replicate customer support or claim to relate to bank information. Whatever the reason, it’s done with a trusted source as the “cloak” in hopes to deceive the recipient.
Defending against smishing attacks
Preventing social media attacks is a mixture of monitoring programs and core competencies. Therefore, we suggest:
- Educational programs designed to help staff members identify smishing attempts
- Create one-time authentication codes with security suites to verify incoming messages
- Have a BDR in place in the event of a successful intrusion event
- Create verification strategies
- Offer remote workers support options for text verification
Defending against the robust nature of cybersecurity attacks is not easy, especially with smishing. Always maintain awareness and practice safety first if the nature of an SMS message is unknown.