How to incorporate smishing into security awareness training
Smishing is a major threat on enterprise smartphones, but users might not know how it compares to traditional email phishing. IT can help block attacks with training and testing.
As more workers access corporate data on their mobile phones, IT must adjust security training to address the threats that target these devices.
SMS phishing, or smishing, is a type of phishing attack that uses Short Message Service text messages instead of emails. Like email-based phishing attacks, the purpose of these messages is to trick recipients into revealing sensitive information or clicking on malicious links.
In recent years, smishing has become a major attack vector. One reason why this type of social engineering attack is attractive to cybercriminals is the lack of user awareness. Many organizations have invested heavily in teaching employees how to spot phishing attempts while largely ignoring the threat of smishing. To ensure enterprise security in today's threat landscape, IT teams must train users to stamp out smishing scams.
Why is smishing a threat to enterprise security?
It might be tempting to think of a smishing attack as a cyberthreat that only affects an end user's smartphone. However, this kind of attack can have consequences for the enterprise, even if it's directed at a personal device. For example, hackers often design smishing attacks to steal users' credentials. If a user were to enter their work credentials in response to such an attempt, it could give the attacker access to the corporate network.
Of course, there are many different types of smishing attacks, and they don't always focus on credential theft. Some attacks try to plant malware on users' mobile devices. If a user were to access the enterprise network from an infected device, the malware on the device could give the hackers a backdoor into the network. This is an especially concerning possibility for any organization that has a BYOD program.
Smishing's edge over other phishing methods
In addition to the lack of user awareness, smishing is a uniquely dangerous form of phishing for a few reasons. Smishing is likely more effective than email phishing, as SMS messages have a higher open rate than emails.
Some users might think of text messages as being more credible than email messages. Spam emails are commonplace, so most users don't bother to interact with anything that looks slightly fake or unimportant. By contrast, since spam texts are less prevalent, users might be more willing to trust a questionable text message. Emails also tend to be longer than text messages, so there's more room for errors and other red flags users can find.
Feasible protection measures are another issue. IT can't defend against smishing with traditional cybersecurity tools. Unlike an email message, smishing texts go directly from the sender to the recipient. They don't have to pass through the recipient's employer's network first. In other words, it's impossible for organizations to filter text messages sent to end users' personal devices.
There are apps that can detect smishing attacks after the fact. With these tools, IT teams can identify any pattern of attacks targeting employees and act accordingly. Because smishing attacks often target employees within an organization, some IT departments also set up a dedicated phone number to which users can forward suspicious texts. This enables administrators to make users aware of current smishing campaigns. These tactics are helpful, but they can't provide more systematic prevention.
Training end users to prevent smishing attacks
To make up for the lack of effective prevention tools, organizations should incorporate smishing training into their broader cybersecurity awareness programs.
Security admins can include guidance on smishing as part of phishing or mobile security modules. Lessons should cover the following information:
Examples of smishing text messages. Go over red flags such as requests for bank account information or other sensitive data, spelling or grammar errors, urgent language, unusual phone numbers and shortened URLs.
How to react to a suspicious text message. Instruct users on how to determine whether a message is fraudulent and how to report the incident.
What to do when a successful smishing attack occurs. Walk through the steps users should follow if they realize they've fallen for a smishing scam. Explain how to reach the IT team and the mitigation measures it might take, such as quarantining the device and scanning for malware.
Best practices to prevent phishing and other threats. Make sure employees understand key principles of cybersecurity in general. Users should know how to protect corporate and personal data across their devices.
Test employees' security awareness with smishing simulations
Organizations can reinforce the lessons from security awareness trainings through phishing simulations. To perform this kind of test, organizations send harmless but realistic phishing messages to their users. By keeping track of which users tap on links within these messages, IT can measure user susceptibility to cyberattacks, as well as how that susceptibility changes over time. To test users' understanding of smishing in particular, organizations can conduct smishing simulations.
By keeping track of which users tap on links within these messages, IT can measure user susceptibility to cyberattacks, as well as how that susceptibility changes over time.
Setting up an internal smishing campaign is fairly easy. First, develop an attack scenario that mimics a real-world smishing incident. This could be a fake delivery tracking link, password reset request or link to documents from the HR department, for example. Once the IT team has created such a message, it can use an internal or third-party tool to deliver the smishing message to employees' phones. At that point, it's just a matter of waiting to find out who taps on the embedded link.
For this type of training to be optimally effective, it's important to provide immediate feedback to those who tap on the smishing link. Organizations can send users a follow-up message to tell them that they failed to recognize the fake smishing attempt.
IT should carry out smishing simulations on a regular basis and make sure the messages are varied enough that they won't become predictable to users. If the messages always follow the same template, or the organization always sends them out around the same time, users are likely to catch on. Training simulations can only be effective if users believe that the messages are authentic and come from the outside world.
Additionally, be sure to track which users fail the smishing test, ideally with real-time reporting. Over time, patterns should emerge in terms of which users are most susceptible to smishing attacks. Observing these susceptibility trends can help IT teams to better focus their security training efforts.
Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.
