Tip

Smishing targets mobile users and IT must prepare to fight it

Phishing attacks via SMS target are harder for IT to defend against than email phishing, but with the proper SMS-specific training and testing IT can improve its phishing security.

SMS phishing -- also known as smishing -- can have serious business consequences for both managed devices and BYOD scenarios.

Smishing is when a hacker attempts to trick a user into giving up information via a text message to a mobile device, and this trend appears to be gaining popularity. This attack vector is an offshoot of traditional email phishing and the incessant Robocalls that are commonplace these days.

Why is smishing a serious threat?

One of the major reasons why smishing poses a serious threat is that mobile admins largely have no control over mobile users' SMS messaging. With smishing, the threat, vulnerability and risk are literally in the hands of end users, so everything from personally identifiable information to passwords to business intellectual property is at stake.

Smishing messages are often casual and generic, similar to traditional spam and phishing emails. They tend to use fake links to social media and other consumer-centric online experiences for bait, as shown in the following screenshots:

Text phishing example
A vague smishing text with a shortened link

The most dangerous smishing attacks, however, target organization with messages that may look more legitimate to unsuspecting users. Targeted messages might take the following approaches:

  • requests for password resets
  • meeting requests
  • multifactor authentication-related messages
  • urgent requests from executives

What should IT do about smishing?

As part of its ongoing security vulnerability and penetration testing, IT should perform internal smishing in addition to internal email phishing. Many users are aware of traditional phishing approaches, but this relatively new attack vector may catch them off guard. The internal phishing provides better insight into whether an organization's end-user training efforts are working, while also revealing users who are especially vulnerable to such attacks.

Many users are aware of traditional phishing approaches, but this relatively new attack vector may catch them off guard.

IT can perform a smishing test for its users with a regular cellphone or an online messaging system that provides IT with a dummy phone number that can send and receive texts. The challenge with this approach is navigating the terms of use for these platforms. Additionally, using a single cellphone or dummy phone number will be terribly cumbersome for IT to scale out to a large number of users. IT needs to collect and log this data, and for large organizations this process would take a lot of time.

The most efficient approach to perform large-scale smishing tests is to use one of the phishing training platforms provided by vendors such as Proofpoint and Lucy. These tools allow IT professionals to integrate smishing with existing email phishing efforts and take advantage of the platforms' user, template and reporting features on a large scale. For example, the following screenshot shows the SMS phishing options that Lucy offers:

Lucy security platform
Lucy's phishing test platform UI for SMS

When IT professionals design and carry out the internal smishing test, they must keep in mind that smishing is no different than other forms of social engineering. Criminal hackers want to prey on human gullibility and the desire for instant gratification. Smishing may be a relatively new attack vector, but IT can address users' vulnerability to this attack with the same methods it would for most other social engineering attacks.

IT should start with internal assessment of the vulnerabilities that exist within the organization. This should cover mobile user habits, common mobile apps that users work with and other organization-specific details. All of this information will help IT design the best possible phishing security strategy, including a user training program for all users, SMS filter tools and a strong mobile incident response plan.

Most organizations haven't mastered email phishing security yet, and the SMS vector is likely to prove even more difficult. However, IT can incorporate SMS messages into the fold and it will cost IT little to nothing over existing phishing efforts.

Dig Deeper on Mobile security