Like email phishing, the smisher (attacker) or smisherman (who comes up with these names?!) uses various tactics to trick the user into sending personal information. They may entice the user to click a link, make a call or even ask for a reply containing private credentials.
To make the message appear legitimate the smisher will often use the targets name and location. To add a sense of urgency, they may include tactics such as saying that if you do not click a link/reply you will be charged a fee.
Sometimes, the user may not need to send their details for their information to be unlawfully gained. The hacker may include a link in the message that will download malware to your phone which silently steals data in the background, sending the sensitive information to an attacker-controlled server.
Once the information required has been obtained, it can be used for anything, from accessing a store account to your bank.
Is smishing a threat to businesses?
With more people using their smartphones for work purposes, smishing has become a business threat as well as a consumer one. A current trend in the business world is the introduction of BYOD policies (bring your own device). Whilst the cost savings of such a policy is greatly beneficial, employers are often unaware of the security risks.
How do I protect my company against smishing?
➡️ Have clear BYOD policies and restrictions in place
Create guidelines and BYOD policies to lower the security risk. Some of the top risks of implementing a BYOD policy include; lost or stolen devices with information theft occurring as a result, compromised devices due to lack of password protection and mobile app breaches.
➡️ Employee awareness
Find out how cyber security-aware your employees are with products that test for security awareness such as PhishLabs then step up cybersecurity training to fill in gaps in their knowledge.
➡️ Restrict file access
Limit access to databases and networks to only those that them. When sending files, advise employees to zip them up first, as this is generally a safer option.
➡️ Get a dark web scan
Once a hacker has obtained private information, they often upload it for sale on the dark web (a part of the web often used by cybercriminals only accessed using special software, such as the Tor Browser). A dark web scan searches the dark web for your information. If found, you will be alerted so you can take the necessary steps to safeguard your personal information.
Have you received a similar text message recently?