,

The Hazards Posed by Smishing Attacks

,

When it comes to vectors for hackers to launch a cyber attack, phishing is still the primary format. Sending malicious attachments or misleading emails has been attributed to roughly 90% of successful infiltrations or companies, and the numbers keep increasing.

A lesser-known but potentially equally effective avenue for hackers to infiltrate organizations does so via SMS (or text) messages. Known as smishing, or SMS phishing, this form of attack is less common than phishing (for now), but can be harder to detect than more run-of-the-mill email campaigns.

One of the reasons why smishing messages can be hard to identify at first glance is that text messages, by their nature, tend to be brief and provide minimal detail. Whereas a phishing email can have several telltale signs of foul play, including suspicious email addresses or typos, text messages are typically one to two sentences long and contain a link, often minified. 

Adding to the hazard is that legitimate services and texts often come from unidentifiable or unrecognizable phone numbers. 

The following message is legitimate:

The following message is not:

In the former case, the link may lead you to Xfinity’s payment portal. The second has the potential to lead you to a site that looks exactly like Xfinity’s payment portal to capture your login and password, or ask you to “re-enter” your payment method. It could also just download malware to your mobile device.

While many smishing attacks are meant to scam or compromise individual recipients, they also represent a hazard to organizations. Compromised login credentials can be leveraged to gain access to a company’s networks, send internal phishing messages, or spread malware.

There are best practices a company can put into place to defend against some of these, but the first line of defense in cybersecurity is usually their employees. Well-trained employees may be able to detect suspicious activity and know how to avoid unnecessary risks. Employees unaware of the basics of data hygiene and security can leave the door open to all manner of cyber threats, smishing included.

Wondering how to train your staff in how to defend against smishing attacks? Contact Nodal today to inquire about our IT Security Awareness Education, Training & Testing program.