Two things are inherently true when it comes to cyber criminals. The first is that they follow the money. This is why ransomware grew to a billion dollar business overnight. The second is that like water, their efforts flow towards the path of least resistance. Cyber criminals are like many people, they go for the easy money. Phishing has been the dominant delivery method for malware and cyber attacks for a number of years now. However, phishing is not as easy as it used to be. Spam filters and email gateways now react quickly in shutting down a malicious email domain. Email security technology is now using analytics to more accurately identify behavior abnormalities and possible email threats. Even users are growing more guarded when opening emails and are becoming more astute at identifying suspicious links and attachments. We have a long way to go of course, but it is getting better.
Which is why smishing attacks are growing more prominent today as cybercriminals turn to a medium that users trust more than their email. Smishing is a social engineering attack that utilizes SMS text messaging instead of email. There are over 6 billion smart phones in circulation today and a third of them are smartphones. Because cell phones today are part of our persona and extension of our day-to-day lives, users look to them as trusted devices that they can count on. Unfortunately, from a cyber security point of view, a personal cellphone is a vulnerable computer with a direct connection to the Internet. With the proliferation of Bring Your Own Device (BYOD) within companies today, the enterprise is now exposed to personal cell phones on a regular basis. Just like laptops and more traditional computer devices, personal cell phones can become launching pads to spread malware, DoS attacks and seize control of privileged accounts.
Texting is an Ideal Medium for Social Engineering Attacks.
Here is why:
- There are approximately 913,242,000 texts sent every hour of every day around the globe. That is 15.2 million per minute. This rapid open rate velocity of text messages makes it highly favorable for perpetrators.
- More than 90% of SMS text messages are opened within 3 seconds. This accents the sense of urgency that is a necessity for a social engineering attack. Users need to feel that an action must be performed right away without proper venting and consideration.
- There is no current text filter technology in text numbers are confirmed as trusted sources.
Examples of SMS phishing attacks exemplifying this sense of urgency look something like this:
- “Congratulations, your entry in our store drawing has won you a $100 gift card. Please click the link to accept your prize.”
- “You have received an alert notice concerning a large withdrawal from your account. Please respond with your account number to confirm your identity.”
- “As a valued customer, we are now offering our new banking app. Please click the link to install.”
- “You have been selected for jury duty. If you cannot make it, please call the following number and have your name and social security number ready.”
How to Protect Yourself Against SMSishing
Thanks to the highly publicized mammoth data breaches over the past couple of years involving millions of personal records, cyber criminals have access to a large pool of legitimate phone numbers. This makes it possible to extrapolate these records in order to better target the users who have these numbers. Most SMS phishing attacks however are sent like traditional phishing attacks in which a large net is cast to catch easy prey. Users should be wary of text messages that come from a “5000” number, as this is indicative of an SMS message send over the web rather from a cell phone. Below are some other tips to protect yourself from smishing attacks.
- Never install an app from a web link that appears in a text message. All apps should only be downloaded from verified app stores. If possible, set your phone to block apps from unknown sources.
- Never respond to a text message that conveys a high sense of urgency or panic and demands an immediate action
- Verify all links sent by family and friends to confirm they knowingly sent you the specific link
- Never respond to a text from a financial, healthcare of governmental institution. Call the verified number of these organizations to confirm the contents of a text message that asks you to take some type of immediate action.
- Do not respond to a text message asking them to stop sending you spam messages. This will only confirm your number and encourage them. You can block numbers that consistently send you message through your cellular provider’s portal or by calling them.
- Consider a NAP or NAC policy for all BYOD mobile devices. Many companies create policies enforcing minimum-security standards for laptops and tablets. Requiring users to have malware protection on their phones is a legitimate request considering today’s environment.
While the majority of SMS phishing attacks are implemented for a quick payoff from an unsuspecting user, smishing cyber attacks are rapidly growing in sophistication and can be used as a method to target an entire enterprise in the future. It is important to ensure that SMS messages are an area of least resistance.
HALOCK is a cyber security consulting company headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable information security throughout the US.