How to avoid becoming a victim of SMiShing (SMS phishing)

Get ready for SMiShing, or phishing attacks that come to your mobile phone. These types of attacks are on the rise, and with so many people using their smartphones to access corporate networks and data, it’s a new danger in the world of BYOD. Follow these tips to avoid becoming a victim.

Everyone’s talking about BYOD. Does it really mean “bring your own device,” or does the D stand for “danger”? With concerns about malware on smart devices, data breaches from lost or stolen devices, and malicious applications that siphon your contact list without permission, there certainly is a bit of risk from using mobile devices.

Another danger that is on the rise for smartphone users is SMiShing, or SMS phishing. A form of phishing, SMiShing occurs when a fraudster sends you an SMS/text message asking you to provide sensitive, personal, and/or financial information via a Web link and false website, or via a telephone number.

SMiShing has been around for at least five years, so why should we be concerned now? According to Mary Landesman, senior security researcher at Cloudmark, SMS spam campaigns in the U.S. grew by 400% in the first half of 2012, and about one-third of all SMS spam includes SMiShing attempts.

[ IN THE NEWS: FTC dumps on scammers who blasted millions of text messages ]

It’s not a surprise that SMiShing attempts should be growing so rapidly, considering that criminals go where their opportunities are greatest. They’ve got to be salivating over these statistics:

• There are more than 6 billion cellphone subscribers in the world.
• Nearly two-thirds of all adults with a cellphone use text messaging.
• More than 90% of text messages are opened within 15 minutes of being received.

That last statistic about the open rate for messages is a key reason why many SMiSh attempts are successful. Criminals use this immediate responsiveness to their advantage. SMiSh messages usually have a sense of urgency to get you to act quickly without much thought. There may be an offer for something for free or at a great discount if you act now, or you may be urged to respond right away to keep something bad from happening. For example, you might get a message that appears to come from your bank, telling you that your credit card is going to be canceled unless you verify your account right away. Or, you can get a free gift card from a retailer if you are one of the first people to visit a Web page (which happens to be fake).

SMiShing isn’t just bad for individuals; as more and more people use their personal devices at work, corporate data and networks can be affected too. Like phishing, SMiShing can be used to plant malware such as a keystroke logger or botnet code. Once the smartphone is compromised, the criminal can do any number of things: steal data, launch attacks, plant malware on servers, etc.

Most of us are becoming more aware of phishing attempts and learning how to spot a phish email. However, we are still too trusting of text messages that come directly to our phones, perhaps because the device itself is so personal. What’s more, criminals are clever and they make their SMiSh messages appear to be coming from a trusted source — a friend, a retail store you do business with, your bank, etc. Also, there’s no easy way to preview a link in a text message as you can in an email by moving your cursor over the link. Links in text messages are often condensed URLs so you really have no idea what they lead to.

End user training is available

Now that you know about SMiShing, let’s talk about ways to educate yourself and your user community to reduce the likelihood of falling for an attack. For a comprehensive educational program for your business, Wombat Security Technologies offers SmishGuru. Like Wombat’s other products that teach people how to avoid phishing and other security problems, SmishGuru uses simulated attacks and immediate feedback to people who fall for the SMiSh. A security administrator can send mock messages to end users and monitor how people react to the messages. If a person clicks on the embedded URL or calls the phone number in the message, he is counseled on how to change his behavior to stay safe in the future. See the images below for examples.

Figure 1: An example mock SMiSh message

Figure 2: The training delivered by SmishGuru when a user clicks the embedded URL

SmishGuru can be used to send periodic mock attacks just to keep users on their toes and to reinforce the safety message.

Tips to avoid falling for a SMiShing attack

Here are some general tips to share with your end users to help them from falling victim to SMiShing.

• Avoid clicking links within text messages, especially if they are sent from someone you don’t know. But, be aware that attack messages can appear to come from someone you do know, so think before you click.
• Don’t respond to text messages that request private or financial information from you.
• If you get a message that appears to be from your bank, financial institution, or other entity that you do business with, contact that business directly to determine if they sent you a legitimate request. Review this entity’s policy on sending text messages to customers.
• Beware of messages that have a number that says it is from “5000” or some other number that is not a cell number. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number.
• If a text message is urging you to act or respond quickly, stop and think about it. Remember that criminals use this as a tactic to get you to do what they want.
• Never reply to a suspicious text message without doing your research and verifying the source. If your bank is really going to cancel your credit card, you should be able to call the number on the back of your card to discuss this matter with them.
• Never call a phone number from an unknown texter.

Expect SMiShing to become more prominent in the coming year. The statistics are in the criminals’ favor, and it’s up to cellphone users to be smart about their behavior.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.

______________________________________________________________

About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.