What is Smishing?

Most everyone these days has heard of or had experience with the email-based attack known as Phishing. An attacker sends an email pretending to be a legitimate sender and attempts to manipulate their victim using a variety of social engineering tactics to get them to disclose sensitive information, click on a link, or open a malicious file. Some of these emails can be incredibly sophisticated and polished whereas others are easy to distinguish as potentially dubious. 

Although phishing occurs in many shapes and forms, it only leverages one type of communication medium – email. Attackers have now expanded similar social engineering attacks to cover a wider variety of communication tools. Phishing attacks conducted over the phone are known as Vishing – a combination of the words “Voice” and “Phishing,” attacks that leverage social media are known as Angler Phishing and attacks conducted via text messages are known as Smishing taken from Short Message Services or SMS and Phishing. 

Social engineering has a focus on exploiting human trust and attacks are then often paired with technical exploits. These may include an attachment to download being sent in the text message which may contain malware or a link to click that redirects users to a malicious website. Attackers often pose as a legitimate company to reduce scepticism, such as a bank, healthcare provider, postal service, etc., to entice victims into accessing the malicious content. They may also use techniques that prey on their target’s emotions such as fear, urgency, and desires, or use situational context to make their message seem more genuine. The method of compromise can vary, and some examples may be to get the victim to respond to the message, provide a phone number for the victim to call – converting to a Vishing attack, prompt the user to interact with a file or link, or send the attacker money. 

Recently, a smishing campaign has been targeting New Zealanders, which you can read more about in our Cyber Guidance Issue 0205

Targets are selected in many ways. Victims may be associated with a particular organisation, industry or demographic but mostly these are “spray” attacks where a high number of people are targeted at random with hopes that a percentage of them will take the bait and fall victim to the attack. Often in these types of attacks a feature of the malware that is installed enables it to source information for other contacts stored in the mobile phone and in other applications to send back to their Command and Control (C2) server providing the attacker with more victims. Some are even clever enough to self-propagate and send malicious messages to contacts all by themselves. 

Once the attacker has the information they are seeking, they can use it in a number of ways. This could be to gain trust and access to other individuals or further sensitive information, acquire funds through various methods of theft, commit identity theft or fraud, or leak company data. 

Smishing attacks evolve quickly so it can be difficult to identify specific types or provide a comprehensive list of examples. Recently there have been a number of COVID-19 related smishing campaigns preying on the fear and uncertainty created by the global pandemic. Financial services are also often impersonated from banks, insurance providers and lenders to investment schemes. Invoicing or receipt confirmation and parcel delivery services are growing in popularity and smishing messages offering customer support services or letting you know about a problem with an account, device, or security risk are also common. The offer of a gift, freebies, competition winner announcements, sneak peeks or pre-order offers can also be enticing to targets making them ideal for a smishing campaign. 

Most users have a false sense of confidence when it comes to text message safety and using their phone. Smartphone security has its limits, and it is often difficult to protect against malicious text messages. Users don’t often associate text messages or voice calls with a potential cyber or information security risk. While awareness of phishing may be high, attention should be paid to the various other methods of social engineering when training your staff to identify potential threats. It is important to provide them with the tools to recognize the threat, know what to do and how to verify legitimacy before proceeding with requests received via phone, email, text message, or social media. It is less effort for an attacker to find a valid phone number than an email address, as they only have to consider numbers and the structure of those numbers for the targeted country. With attackers requiring only a touch of trust and a short lapse in judgement to succeed, the risks are high for users and rewards potentially lucrative for attackers. 

Some key takeaways to assist with preventing a successful compromise from a suspected smishing message are: 

  • Be wary – If it looks suspicious, it probably is. Offers that seem to be too good to be true usually are. Be particularly cautious of messages containing spelling mistakes or grammatical errors.

  • Don’t reply – if the message is unexpected and/or the sender is unidentifiable, do not send a response. Some attackers also use prompts such as asking a victim to reply with “STOP,” “YES” or “NO” to identify active phone numbers.

  • Don’t click – Never click on links provided in text messages as they may be malicious.

  • Don’t call – Never use a phone number provided in the message, seek the correct phone number via the business website or through a verified contact list.

  • Always verify - if in doubt use a secondary means to check the request is legitimate. Contact the organisation or colleague that is reaching out to you via their website or by giving them a call or sending an email.

  • Never store credit card numbers on your phone – this makes for easy pickings, even in a digital wallet.

  • Use MFA – Enable Multifactor Authentication wherever possible. A stolen password will be useless to an attacker if an account requires a secondary key or token to log into. MFA can sometimes be known as 2FA, and One Time Passwords (OTP) are also similar. If you believe your device has been compromised, do not set MFA codes to be sent as text messages to the phone as an attacker may be able to harvest or redirect these. Use a token generation app such as Microsoft Authenticator and ensure you have a backup and the relevant recovery keys stored elsewhere.

  • Never provide passwords or token codes over the phone or through text – Only ever use passwords and codes on the official sites or applications.

  • Use Anti-malware Software – Using an anti-malware specifically designed for mobile devices can reduce the risk and likelihood of malware being accessed through or downloaded onto your phone or other mobile devices and prevent attackers gaining a foothold.

  • Report it – You can report incidents to CERT NZ using their online form or by forwarding malicious messages to 7726

 If you suspect you may be the victim of a smishing attack, reach out to CERT NZ or Netsafe for assistance and advice or you business IT Service Provider. You should change your passwords and account PINs and monitor your finances for strange or unexpected behaviour. If you suspect your bank account or credit card may have been compromised, contact your bank immediately and put a freeze on your accounts. 

The team at Unisphere Solutions Ltd are always available for advice and guidance. Contact us today!

Previous
Previous

Importance of strong passwords and practices

Next
Next

Are you ready for Cyber Smart Week 2021?