Phishing has been a hot topic lately in cybersecurity. In a phishing attack, threat actors typically use email or a phone call in an attempt to deceive potential victims. A related type of social engineering attack known as smishing has recently become more prevalent.
Smishing is a form of phishing that employs SMS text messages to entice the victim into divulging sensitive information or clicking on a malicious link. The outcome of a successful smishing attack can be identity theft, compromised credentials, or malware delivery.
The popularity of texting as a method for businesses to communicate with customers has led to the increasing use of this technique by threat actors. Defending against smishing requires vigilance and extreme care when responding to SMS messages. The damages possible from a smishing attack go far beyond the harm to the device that received the message.
Anatomy of a Smishing Attack
Smishing attacks are often carried out in multiple steps. Typically, smishing employs the following three steps in carrying out an attack.
- Getting the victim’s attention or concern with a targeted message or offer.
- Tricking the victim into going to a fraudulent website that looks similar to a legitimate site.
- Inducing the victim to divulge sensitive information or click on a link that may deliver malware.
A smishing attack can also be perpetrated in one step by including a malicious link in an SMS message and enticing the victim to click on it. For this reason, it is strongly advised to never click on a link in an SMS message if you have any concerns about its legitimacy.
Why Smishing Attacks Are Often Successful
Smishing attacks prey on the fragility of human nature as they attempt to entice users to take dangerous actions. The tactics used by threat actors include appealing to the following aspects of human nature:
- Greed addressed with offers of financial gain and riches;
- Luck that only the victim has received this offer;
- Vanity by implying your special qualities entitle you to the offer;
- Misplaced trust by appearing empathetic and offering help;
- Lack of attention by making the victim feel noticed and important;
- Fear that failure to click the link will result in something bad happening.
All it takes is a single misguided click to become a victim of a smishing attack. Cybercriminals know this and are adept at constructing messages that can fool an unsuspecting individual.
Dangers of a Smishing Attack
Threat actors have added smishing to their portfolio of techniques with which to attack individuals and organizations. While they have adopted many methods, the goals of cybercriminals are typically fairly consistent. They either want to obtain valuable information they are not entitled to or cause some type of damage to the victim’s IT environment.
The specific dangers of smishing include:
- Enticing the victim into divulging sensitive information such as account credentials or Social Security numbers. This data is then used by cybercriminals to perform identity theft or gain unauthorized access to protected IT resources.
- Delivering malware to the victim’s phone or endpoint, and by extension, the network to which it is attached. The malware can be in the form of ransomware or may be an attempt to introduce an advanced persistent threat (APT) to the environment.
One of the reasons smishing is so dangerous is that the victim may not realize they have been victimized and may not take any preventative actions to limit the damages.
Examples of Smishing Attacks
Taking a look at some common types of smishing attacks is a good way to minimize their chances of success. Consider what you will do if you get an SMS message tonight that is similar to the ones used in smishing attacks.
- A common tactic is to claim you are a sweepstakes winner and have a limited amount of time remaining to claim your prize.
- A message indicating your account is frozen is often a smishing attack.
- An unexpected request from a family member in distress can influence how you reply to a message.
- A message from a package delivery service informs you that a parcel you are not expecting is waiting for you.
- An SMS text tells you that you have outstanding charges for toll roads and must click a link to address the issue.
- You receive an offer for free or discounted services or products that you have not requested.
A concrete example of smishing can be seen in an attack perpetrated on customers of the Bank of Ireland. The scam involved SMS messages fraudulently purporting to be from the bank asking for account details. Replying to the messages provided cybercriminals with access to the victims’ bank accounts.
Preventing Smishing Attacks
It’s impossible to eliminate potential smishing attacks unless you opt out of receiving SMS messages. Since this is unlikely, the following best practices offer the best defense against a smishing attack.
- Question any correspondence that requires you to act and respond quickly. One of the tactics of smishing is to get you to react without thinking of the potential consequences of your actions.
- Be wary of messages that offer money or great deals. Offers that sound too good to be true are usually fraudulent.
- Don't click on embedded links in any SMS message. If you believe the message is legitimate, go to the website via a browser by typing in the address.
- Don’t assume that new messages in a thread from a legitimate source are also legitimate. Threat actors use techniques such as CLI overstamping to make their malicious messages appear to be coming from a trusted source.
- Verify phone numbers sending text messages and be cautious of suspicious numbers from unknown locations.
- Don't reply to suspicious messages as they may simply be a lure to get you to incur expensive long-distance charges.
- Never change settings or access accounts in response to text messages.
Additional protective actions include:
- Not keeping financial information on your phone;
- Reporting smishing attempts to the relevant regulatory authority in your country.
How XDR Can Limit the Damage of a Smishing Attack
Smishing typically targets mobile devices and endpoints, although SMS messages can be received on a laptop or desktop computer. Mobile devices are not typically as effectively managed as other endpoints, presenting a potential blind spot for directly detecting threat actors. But there is still value in implementing XDR to help limit the damages of smishing by identifying lateral movement and consolidating telemetry to identify behavior that warrants further investigation.
One of the purposes of a smishing attack is to deliver malware to the target via a malicious link. Once the malware is downloaded to the endpoint, its goal is usually to further infiltrate the environment and affect other components on the network. This is where XDR can be useful in reducing the potential damages of an attack.
The holistic and consolidated view of the environment furnished by XDR can help limit the damage of a smishing attack by:
- Identifying malware activity that escapes detection from traditional methods;
- Identifying the subtle lateral movements of threat actors that have gained access to the environment by synthesizing threat intelligence (TI).
- Alerting security personnel of anomalies that may indicate the presence of threat actors.
XDR provides a sophisticated method of identifying and responding to the evolving techniques of threat actors. XDR offers a cloud-based solution for organizations of all sizes with powerful threat-hunting capabilities.
Talk to the experts at Samurai and see how XDR can address threats introduced into the environment from techniques like smishing that cannot be identified by traditional cybersecurity measures.
Download theDownload Now
Ransomware and Cyber Attacks in Healthcare - Part 2
16 February 2024 | Cyber Threats
With traditional employees, remote workers, and hybrid workers, maintaining a secure wall around your business is uniquely difficult, if not...
How To Enhance Online Safety With Cyber Hygiene
8 February 2024 | Cybersecurity 101
The way you take care of your IT environment has a direct impact on its security. Carelessness in the way...
The State of SaaS Security - Part 2
2 February 2024 | Cybersecurity 101
This post dives a bit deeper into the breaches and some guidance on common tactics, techniques, and procedures (TTPs) that...