Smishing and the evolving social engineering threat
27 September 2018
By Stephen Burke, CEO and Co-Founder of Cyber Risk Aware
The majority of security defences focus on preparing for advanced new malware and zero-day attacks, but the most effective weapon in the cyber criminal’s arsenal is often a psychological one. Social engineering attacks that use a combination of impersonation and confidence tricks can easily deceive targets into compromising their own security.
Social engineering has also evolved rapidly in recent years, and criminals can now routinely deploy attacks that are personally targeted and use multiple mediums. The abundance of major data breaches over the last few years means that a fraudster can easily acquire several sets of data and contact points for their victim to increase their legitimacy. In particular, we have seen a steady rise in the use of smishing, phishing attacks which incorporate SMS text messages.
Also of interest: Payment security compliance drops for the first time in 6 years
Smishing in action
There have been several high-profile examples of smishing attacks this year which showcase how effective combining texts with emails and calls can be. For example, a few days into January, just as shoppers were likely to be considering post-Christmas sales, a major campaign involving messages purporting to be from the retailer Argos sent texts offering free gift cards, including a link to a form for bank details.
The attack also demonstrated a particularly insidious technique known as number spoofing, which enables the imposter to insert their text into the thread of genuine messages from Argos. Even the most suspicious shopper will often have their fears allayed when the text appears alongside messages they know to be authentic.
A recent attack used an even more daring approach by bringing phone calls into the mix. The attack was initiated with a text stating there was a problem with the target’s Argos card, and providing an 0800 support number. The criminals even went to the trouble of creating a convincing copy of the automated Argos phone menu, as well as skilled fraudsters waiting to talk to anyone who fell for the trap.
Also of interest: How the nonsensical can make sense in cyber security
The threat to businesses
Many high-profile fraud campaigns involving smishing tend to target consumers, and as demonstrated by the Argos examples this year, there is scope for impersonating trusted brands such as retailers and using lures such as gift cards and free items.
However, while consumers are usually targeted for their personal and financial details, social engineering techniques can also be used to acquire information relating to their workplace. Criminals planning an attack on a specific organisation can easily discover the individual details of employees and target login credentials.
Social networks make it trivially easy to gather enough information to attack, and mobile numbers are often freely available on company sites without the need to purchase stolen data. Impersonating a trusted authority figure over text can trick targets into sidestepping security concerns and giving up information.
As with deceptive emails, smishing messages will usually rely on trust and authority to override security concerns. For example, an attacker could impersonate a senior executive with the message “I’m travelling but my laptop died – can you send me the SharePoint login? It’s urgent”. Attackers can even impersonate automated security functions like 2FA to harvest credentials from workers who believe they are being security conscious.
While workers are becoming more aware of good security practice in the workplace, many people fail to consider that they may still be a target when they head home and are subsequently more vulnerable. Most of us usually do not scrutinise our mobile devices to anywhere near the same extent as we do a desktop, particularly as we are more likely to be traveling or multitasking. With the number of incidents growing, organisations need to be aware of the risks of smishing and start taking action to protect their employees.
How can businesses defend against smishing?
From a technical standpoint, smishing can present a greater challenge than email-based phishing attacks. While increasingly advanced email security solutions can readily detect fraudulent emails, identifying an SMS message is more complicated. Companies can also do little to prevent smishing messages being sent to an employee’s device.
With this in mind, awareness is one of the best defences against the threat of smishing, as fraudsters rely heavily on their victim being unaware of the risk. Organisations concerned about their staff being targeted by text can launch awareness campaigns to inform their workforce of the threat and instil better practice around security.
As well as training sessions and guidance material, companies may also consider using a simulated phishing attack campaign on their employees that incorporates smishing. Employees who are caught out by a simulation will generally take the lesson to heart more readily than those who have simply read a pamphlet. Consumer-facing organisations should also regularly inform their customers about the latest scams impersonating their brand and provide advice and guidance.
With smishing being both highly effective and difficult to detect, we are likely to see an increase in both volume and sophistication in the coming years. Businesses must ensure that their employees and customers are aware of the risk and prepared to spot the signs of an attack.