In the digital age, as our reliance on technology deepens, so does the creativity of malicious actors seeking to exploit vulnerabilities. One of the many growing threats to our security is SMiShing, a blend of SMS (Short Message Service) and phishing. SMiShing attacks utilize text messages to deceive individuals into divulging sensitive information or performing actions that compromise their security. As these attacks become more sophisticated, understanding their nature, vulnerabilities, and preventive measures, is paramount.

Understanding SMiShing

The Escalation of SMiShing Attacks

SMiShing has emerged as a favored tactic among cybercriminals for several reasons:

  1. Pervasiveness of Mobile Devices: With the proliferation of smartphones, people are more accessible via text messages than ever before. This accessibility presents a lucrative opportunity for attackers to exploit. For example, most individuals have their phone on them while going about their day. So, a bad actor has an increased chance of reaching them at a time that their guard may be lowered. Perhaps the text message reaches the target while they are busy running errands or trying to enjoy a vacation. These scenarios could lead to decreased vigilance.
  2. Increased Chance of Interaction: A report by Gartner stated that 45-98 percent of individuals interact with their text messages. In comparison, only 6-20 percent interact with their emails. This data alone makes the attack vector of SMiShing very appealing to bad actors, as they may have a higher chance of compromising an individual.
  3. Low Barrier to Entry: Launching a SMiShing attack requires minimal resources and technical expertise. Therefore, it’s an attractive option for both amateur and seasoned hackers.

Vulnerabilities Exposed by SMiShing

SMiShing exploits various vulnerabilities, including:

  1. Human Trust: Attackers may leverage social engineering techniques to manipulate human psychology, exploiting trust and inducing victims to take actions against their best interests.
  2. Inadequate Awareness: Many individuals lack awareness of SMiShing tactics, making them susceptible to falling victim to these attacks. Individuals may also underestimate the severity of such attacks in comparison to Vishing and Phishing, which may leave them in a vulnerable state if a SMiShing attack is executed effectively.
  3. Device Security: SMiShing often leads recipients to malicious websites or prompts them to download malware-infested applications, compromising the security of their devices.

Common SMiShing Scams

There are a variety of SMiShing scams that may be used in the real world, either in a corporate environment or in our personal lives. It is imperative that we are up to date on the latest avenues that attackers may take to compromise our secure data. Here are a few:

  • Credential Theft: In a corporate setting, employees may receive texts impersonating IT departments, prompting them to reset passwords on fake login pages. A similar approach might be taken against individuals outside a company. American Express customers saw this tactic firsthand when bad actors sent out fraud alert text messages that looked very similar to ones they would normally get, evoking a sense of fear. The text included a link to a spoofed login page where a concerned customer would “login” to their account, compromising it in the process.
  • Individual Impersonation: Along with impersonating companies, attackers may impersonate specific individuals in relation to their targets. Such individuals could be coworkers, managers, and even friends or family. By impersonating someone the target knows, the bad actor may attempt to coerce their target into lending financial aid. Often bad actors will attempt to do this through social media or over third-party apps such as WhatsApp.
  • Package Delivery Scams: Fake delivery notifications are all too common today. Bad actors may trick recipients into providing personal information or clicking on malicious links. By sending these texts out to a wide group, they may reach an individual that is expecting a package. Similar to the American Express attack, a link is usually provided with this SMS messages, leading the victim to a spoofed login page for the delivery service.

Lessons Learned and Moving Forward

As we navigate the evolving landscape of cyber threats in 2024 and beyond, several key lessons emerge:

  1. Education and Awareness: Continuous education on identifying and mitigating SMiShing attacks is crucial for individuals and organizations alike. Verifying a sender’s identity independently and avoiding clicking on links directly from messages are practices all should be familiar with.
  2. Vigilance and Skepticism: Adopting a skeptical mindset towards unsolicited messages and verifying the authenticity of requests can mitigate the risk of falling victim to SMiShing scams. Exercising this caution will aid an individual, especially if the nature of the SMiSh is one that attempts to override their critical thinking and evoke an emotional response.
  3. Technology Solutions: Implementing advanced security measures, such as mobile threat defense solutions and multi-factor authentication, can bolster defenses against SMiShing attacks.

Increase Your Employees’ Security Awareness

SMiShing poses a significant threat to both corporate entities and individuals, exploiting vulnerabilities in human psychology and technology. By understanding the nature of these attacks, implementing preventive measures, and fostering a culture of cybersecurity awareness, we can fortify our defenses against SMiShing and other emerging threats in the years to come.

At Social-Engineer LLC, we perform SMiShing simulations for our clients to help increase their employees’ security awareness. Our SMiShing program is highly customizable to fit the needs of your company and provides excellent datasets that help to establish areas of concern or promise among your staff.

Written by
Josten Peña
Human Risk Analyst