Smishing, a relatively new form of cyberattack, is threatening millions of small businesses and consumers worldwide. Smishing is a phishing attack that uses text messages instead of emails to entice the recipients to click on phony links. The links draw them to websites which either download malware or exchange personal information.

Some Eye-Opening Statistics

  • A security software firm reported that only 23% of users above 55 years could define Smishing correctly. In comparison, only 34% of people between 23-38 years of age demonstrated awareness of the term.
  • Upon the onset of the COVID-19 pandemic, authorities started using SMS to communicate about contact tracing, lockdowns, and vaccine options. It created a fertile ground for threat actors to launch smishing attacks. The next caller said that 44% of Americans reported increased scam text messages and phone calls during the first two weeks of the lockdown period.
  • In 2020, the Bank of Ireland paid out €800,000 (About $935,000) to 300+ bank customers whose information got compromised in a smishing scam.
  • The FBI’s cybercrime complaint division, the IC3 (Internet Crime Complaint Center), documented a steady growth of cyber scams globally in 2020. It reported over 240,000 victims of phishing, Smishing, vishing (phishing over the phone), and pharming attacks, costing over $54 million in losses. 


phishing definition

(Source: Safety Detectives)


How Does Smishing Work?

Here’s how Smishing works:

  1. A malicious actor will send you an SMS (text message) that asks you to click on a link.
  2. If you click on the link, it will redirect you to a fake website that will ask you to enter your information in a phishing form. The threat actor controls this fake web form, but it looks identical to a trusted webform (like an Amazon login page or a PayPal login page).
  3. Alternatively, the website might try to download malicious software on your mobile device.

Basically, like a phishing email, the cyber adversary tries to get your sensitive information through an SMS in a smishing attack. The malicious actor urges you to give your personal information – health insurance information, credit card number, or social security number, failing which something terrible might happen to you (your credit card might get blocked, etc. The best measure is to avoid the message and report it to relevant authorities.


Why is Smishing Successful?

There are various reasons why Smishing is successful:

  • Phishing and its variants like Smishing involve social engineering tactics intended to convince victims of the sender’s trustworthiness, create urgency, or both. Trustworthiness gets established through official-looking emails, login pages, or contact names that the victim will recognize and trust.
  • Smishing attempts try to manipulate the victim’s emotional state and influence their judgment. They make claims about already compromised accounts or suggest that a business disaster is imminent if appropriate steps are not taken.
  • While emails are equipped with email phishing protection, incoming text messages do not have traditional authentication systems and spam filters in place. Thus, the text messages lack the initial line of defense against phishing attacks.
  • Text messages reflect a mix of personal and business correspondence. The familiar and varied threads in the user’s inbox can obscure suspicious information.
  • User fatigue also plays an important role that contributes to the success of smishing attacks. Mobile users may receive hundreds of texts every day, and threat actors exploit every opportunity to steal information. Since these attacks can take many forms, they take advantage of the dropped defenses of the users.


Are Individual Users The Sole Victims?

While individual users are more prone to smishing attacks, businesses are also adversely affected by them. These attacks frequently result in compromised system credentials, making them a significant attack vector against a wide range of business systems.

Risks involved with smishing attacks are not limited to having your customers or business users cough up sensitive information. Organizations need to be aware that their customers are potential targets of phishing attacks using their brand name and realize that such attacks can damage corporate brand reputation.


How to Protect Against Smishing Attacks?

Individuals must realize that they can keep themselves safe by simply doing nothing. Smishing attacks cause damage only when the users take the bait. Following are the steps organizations can take to keep their employees safe from smishing threats:

  1. Gain Knowledge About How Educated The Employees Are In Cybersecurity: Before framing any policies, it can be helpful to understand your employees’ cybersecurity awareness. You can conduct a simple survey with questions that measures their alertness level against different scam attempts. Knowing your employees’ knowledge on the issue will help you develop your cyber awareness training program.
  2. Have Clear Restrictions and Policies Around BYOD: If employees can use their smartphones for work, it is prudent to have a Bring Your Own Device (BYOD) policy in place. It will set clear guidelines and expectations around everything from cyber threat detection to app usage.
  3. Use Access Control: Every employee does not need access to all the files. Limit access to websites, networks, and databases to only the people who need to use them. It will reduce the potential exposure to smishing attacks. For instance, organizations can instruct employees to encrypt files and emails rather than sending them directly.
  4. Encourage Employees To Notify About Potential Scams: Ensure the workforce understands how to get advice on suspicious messages and report threats. The IT teams may have anti-phishing solutions in place, but they will need all the help they can get to track and stop new attacks.
  5. Keep Your Clients/Customers Informed About Possible Smishing Attacks: If it comes to your notice that someone is using your organization as part of a smishing or phishing campaign, inform your customers/ clients at the earliest. It will help you to prevent an unwanted data breach or corporate damage.


Final Words

Phishing attacks are continually evolving in complexity and subtlety. Recent trends are testimony to the fact that smishing or SMS phishing attacks are rising rapidly. The best solution to counter these attacks is by simply becoming more aware. While businesses like delivery services and banks may send text messages occasionally, they will never require customers’ responses with personal information. For those running small businesses, stepping up employee training is the best phishing protection against smishing attacks.