Smishing and phishing scams continue to evolve within nearly every corporate sector, with new threats replacing the old ones in rapid succession. What is smishing, and how can it impact your company? Here, we’ll look at what steps you can take to defend your employees and your bottom line from smishing scams.
What is the definition of Smishing?
Smishing is a blend of short message services (SMS) and phishing, and it refers to deceptive text messages sent by scammers. While smishing is most often associated with consumers, businesses are also at risk of receiving spam text messages.
For example, a scammer might pretend to be a supervisor on your IT team (https://www.makeuseof.com/still-using-sms-stop/), sending a text message to an employee about an emergency system failure. In this case the scammer included a fake link in the text to remotely log into the system to collect the employee’s credentials.
Smishing attacks in organizations are often the first step in a much larger phishing scheme. For example, scammers might send several text messages to collect information that can then be used in a more orchestrated Business Email Compromise (www.ncsc.gov.uk/files/Business-email-compromise-infographic.pdf) (BEC) attack. Whether they’re looking for official information, like financial account numbers, or behavioral information, like whether a manager addresses employees by their nicknames, smishing can be just one part of the infiltration.
As the number of nation-state hacks continues to rise, https://www.forbes.com/sites/zakdoffman/2024/12/06/fbi-warns-iphone-and-android-users-stop-sending-texts/(https://www.forbes.com/sites/zakdoffman/2024/12/06/fbi-warns-iphone-and-android-users-stop-sending-texts/). This isn’t necessarily as simple as it sounds, though. When messages sent from iPhones to Androids are unencrypted, you can see why so many businesses have such persistent security gaps.
What is the difference between smishing, phishing, and vishing?
Smishing specifically refers to text message scams, while vishing (AKA voicemail phishing) refers to voicemail scams. Phishing is the broader category that can include voicemails and text messages (though it’s most often associated with email).
It should be noted that phishing, smishing, and vishing may be the same messages sent in different ways. For example, a scammer might impersonate the CTO in a voicemail if they believe that employees will be more likely to trust a spoken directive as opposed to a text message.
One of the most famous phishing scams was Sony’s data leak in 2014. (https://www.sipa.columbia.edu/sites/default/files/2022-11/Sony%20-%20Written%20Case.pdf) In this attack, scammers sent out fake Apple verification emails to collect the passwords of high-level executives. Then, they tested the passwords against Sony accounts to find matches. This led to Sony’s accidental release of more than 100 terabytes of confidential information and a nine-figure financial loss.
FBI data clearly shows that scammers are becoming savvier at navigating complex systems (both social and otherwise). If you’re still not convinced about smishing’s efficacy, consider how likely you are to open a text message from someone you know — especially at the end of a long day.
More than half of all personal devices are exposed (https://cybermagazine.com/articles/vishing-smishing-and-quishing-are-next-ways-to-go-phishing) to smishing attacks every quarter, and the purported financial impact of a smishing attack in a mid-size organization is around $4 million. When more and more people fall for these scams every year, a few steps can keep you from becoming a statistic.
How to combat Smishing scams
The best way to combat scams is to be as proactive as possible. Here, we’ll look at some action steps to take to avoid smishing scams.
1. Implement security awareness training:
Nimblr offers periodic Security Awareness training to drastically reduce the odds of a successful smishing scam. By engaging employees on their level, we ensure employees retain the most valuable information. Our micro-training (https://nimblrsecurity.com/solution/micro-training) lessons break down complicated concepts into digestible snippets, and our simulated attacks (https://nimblrsecurity.com/solution/simulations) give you a better idea of how different employees will react to emerging threats.
2. Implement mobile device management:
Mobile Device Management (MDM) (https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management) solutions allow you to control your employees’ devices from a central system. With MDM, you can wipe sensitive information, restrict unauthorized app installation, and flag potentially malicious links. MDM protocols should be updated as quickly as new software versions are released, so it’s important to designate an employee or team to stay on top of it.
3. Consider zero-trust security:
Zero-trust security verifies every single text message — even if it comes from the CEO within your current network. This is not just a complex system to implement; it’s also one of the more costly. However, if you’re in an industry that’s particularly at risk for smishing attacks, such as a bank or utility company, it may be worth the extra precaution.
Conclusion:
As smishing scams increase, some organizations go so far as to outlaw any text or email that solicits information. If you aren’t ready to take that step, consider how Nimblr gives your team the tools they need to recognize and avoid fishy smishing tactics. (https://nimblrsecurity.com/blog/how-to-boost-security-awareness-with-engaging-online-training)
