Phishing goes mobile

Calum Baird at Systal uncovers the growing smishing threat to businesses

 

With the prevalence of mobile phones in modern society it is no surprise that smishing continues to be a popular attack vector for cyber-criminals. Recent years have seen an increase in smishing campaigns, with a 328% increase in 2020 and 76% of businesses being targeted by smishing attacks.

 

This article will explain the concept of smishing, the risks it presents to your business, and steps you can take to mitigate these risks and protect your organisation from this cyber-security threat.

 

What is ‘smishing’?

The word smishing comes from two combined terms: 

• Short Messaging Service (SMS): The technology used for text messages on mobile phones
• Phishing: A social engineering tactic used by cyber-criminals using fraudulent communications (typically emails) to deceive victims 

Social engineering in the context of cyber-security is the psychological manipulation of people to make them reveal confidential information or perform an action such as downloading malware or transferring funds. Cyber-criminals know that humans are one of the weakest links in information security, with 98% of cyber-attacks relying on social engineering attacks. These attacks, although often simple, can be costly, with the average cost of a social engineering attack being $130,000.

 

Smishing attacks use messages (either SMS or through a dedicated messaging platform such as WhatsApp, Telegram and Signal) pretending to be from a genuine sender. These often include messages pretending to be from another organisation, the government, or a specific individual including C-suite or family members. They will often use fear and time pressure to trick individuals into taking quick and risky actions such as visiting a website, downloading a file, or transferring funds.

 

Given that smishing involves mobile phones, there are essentially two potential smishing attack vectors cyber-criminals can use to infiltrate businesses: 

• Personal devices: Employee owned which are used to access business assets, including emails, files, and communication platforms (such as Microsoft Teams) either in accordance with a Bring Your Own Device (BYOD) policy or without organisational approval or awareness (shadow information technology)
• Work devices: Business-owned devices issued to employees for use in accordance with their role

What are the business risks?

The risk impacting on both is that smishing can allow cyber-criminals access to your organisational data which could result in:

• Data breaches: Cyber-criminals stealing your data to blackmail your business (such as ransomware) or cause reputational damage
• Operational disruption: The information technology system impact caused by cyber-criminals or steps taken to mitigate the attack, slowing or halting productivity
• Financial loss: Through funds or goods transferred fraudulently by cyber-criminals, fines for regulatory compliance failures, cyber-insurance premiums, and costs associated with recovery and the restoration of operations and systems
• Reputational damage: The harm to your organisational reputation and customer, client or colleague confidence in your ability to secure your systems and their data.

Data breaches alone can be significantly costly and, in many cases, are costly enough to leave businesses bankrupt.

 

Protecting business from smishing

Now that you know the risks, you might be asking what actions can be taken to mitigate the risk. 

 

There are several methods which can be implemented together to synergistically improve your cyber-security posture against smishing: 

• Improve staff awareness: Cyber-security training for staff and awareness of techniques such as social engineering, phishing and smishing are essential to preventing their success
• Comprehensive policies: Consider if it is appropriate for staff to use their personal mobile phones for work purposes and what data is available through their personal device, particularly if business data is accessible on their devices. A well written BYOD policy can help with this
• Technical controls: For work devices, ensure that appropriate technical controls are in place, that devices and software are regularly updated, Mobile Device Management (MDM) software can assist with this, as can proper auditing to ensure compliance
• Just culture: Implementing a where the focus is “what went wrong?” rather than “who caused the problem?’ empowers employees to report smishing and assists your business in identifying and mitigating the impact of successful attacks. This cultural approach is often utilised in the aviation industry and focuses on identifying gaps in processes and policies rather than blaming individuals, leading to continuous organisational improvement
• Enhanced protection: Utilising a Security Operations Centre (SOC), whether internal or outsourced and other additional security methods can provide a defence-in-depth approach for your business and a safety net when users fail to identify smishing attacks

This list is non-exhaustive and there is no one-size-fits all solution, so having the correct cyber-security experts to guide your business to a strong security posture is essential to keeping your business secure and operational in the present and in the future.

 

Several of the risk mitigation strategies listed above can be implemented with no-to-low cost. Whilst funding organisational cyber-security might not have an immediately obvious return on investment, the adverse operational and financial impact avoided by preventing a cyber-attack is invaluable. 

 

---

 

Calum Baird is Digital Forensics Incident Response Consultant at Systal

 

Main image courtesy of iStockPhoto.com and Saksit Sangtong