Social engineering has evolved in recent years to become one of
the most dangerous cyber threats facing companies today. A well-crafted
impersonation of a trusted contact or authority figure can easily trick the
target into giving away sensitive data, login credentials or wiring money into
criminal bank accounts.
We have also seen criminals evolve their tactics over the last couple of years to create even more cunning approaches that exploit knowledge about their target’s personal lives. The blurred line between professional and personal security is readily apparent in the increasing popularity of SMiShing attacks.
We have also seen criminals evolve their tactics over the last couple of years to create even more cunning approaches that exploit knowledge about their target’s personal lives. The blurred line between professional and personal security is readily apparent in the increasing popularity of SMiShing attacks.
This technique
uses the same tricks commonly seen in normal phishing, but with SMS texting as
the medium rather than email and is often used in conjunction with other
attacks. With the number of incidents growing, organisations need to be aware
of the risks of SMiShing and start taking action to protect their employees.
SMiShingon the rise
The rising number of high-profile SMiShing campaigns saw mobile provider Three UK publish a guide to help customers spot messages from fraudsters after the company identified a significant increase in sophisticated attacks.
The rising number of high-profile SMiShing campaigns saw mobile provider Three UK publish a guide to help customers spot messages from fraudsters after the company identified a significant increase in sophisticated attacks.
A particularly
prominent campaign emerged earlier this year in Australia, with scammers
targeting young men in the guise of a single girl and directing them to a fake
dating site designed to harvest their data.
We also saw a
significant upsurge in SMiShing attacks in the UK after the data breach suffered by TSB bank inApril. This attack was notable as the criminals started with a wave of phishing
emails impersonating the bank, and then followed up with an SMS message to
those that fell for the email and entered their details.
Combining two
mediums in this way is an effective method for criminals to establish a sense
of legitimacy with their victims and people will more readily assume it is
genuine if they are contacted in different ways just as they expect from a real
bank.
The most
high-profile campaigns tend to be those targeting consumers for their private
data, as these are more often reported to authorities and covered in the press.
However, SMiShing is also a powerful technique for spear phishing an
organization.
Impersonating a
trusted authority figure over text can trick targets into sidestepping security
concerns and giving up information. Attackers can even impersonate automated
security functions like 2FA to harvest credentials from workers who believe
they are being security conscious.
CanSMiShing be stopped?
Preventing SMiShing attacks is a difficult challenge from a technical standpoint. Malicious texts are much harder to automatically identify and block than phishing emails, and companies can do nothing about stopping attacks targeting a user’s company or personal mobile. Mobile Device Management solutions enforce company policy, but don’t block or prevent malicious SMS texts and phishing emails or prevent a user from accessing malicious websites.
Preventing SMiShing attacks is a difficult challenge from a technical standpoint. Malicious texts are much harder to automatically identify and block than phishing emails, and companies can do nothing about stopping attacks targeting a user’s company or personal mobile. Mobile Device Management solutions enforce company policy, but don’t block or prevent malicious SMS texts and phishing emails or prevent a user from accessing malicious websites.
However,
organizations can make a difference by raising awareness with their customers
and employees about the threat of SMiShing. Employees need to understand the
methods that cyber-criminals employ to target people and benefit from
experiencing what an attack looks like in a controlled way before an actual
malicious event does occur.
Companies can
publish guides like the one from Three UK to offer advice, and also contact
customers to inform them more directly and provide options for reporting
suspected scams.
However,
organizations should seriously consider raising awareness with a simulated
SMiShing campaign. Nobody likes knowing they’ve been caught out and being
tricked, even in a harmless simulation. It is a very sensory experience that
can drive the lesson home and the staff member can be provided with feedback
offering an “instant awareness moment” to aid knowledge retention.
Unfortunately,
the increased volume and sophistication of SMiShing attacks we’ve seen over the
last year are likely to be the tip of the iceberg, and we can expect criminals
to continue refining their techniques over the coming months to take advantage
of unsuspecting victims.
No comments:
Post a Comment