Smishing Basics and Evolving Attacks
Anyone with a mobile phone in 2022 has probably seen a smishing message on their screen, even if they don’t know what smishing is. It’s just like the typical phishing message (where an email attempts to illicit a victim’s private data), except it uses mobile channels like SMS instead of email address.
Unfortunately, these fraud schemes are having huge success even among more tech-savvy and vigilant targets. There are regular media reports of technology companies suffering breaches caused by the inadvertent disclosure of credentials due to such attacks.
These attacks should serve as a cautionary tale—that smishing attacks are not just on the rise but also gaining in sophistication. The success of attacks like this relies on the perpetrator’s ability to make the message look legitimate, and the strategies to do this have majorly evolved with a spike in smishing related to the pandemic.
In every form, smishing is characterized by the same three steps:
- Targets receive a message on their mobile devices with a link claiming to be from a legitimate source.
- The link leads the victims to a legit-looking web page where the victim will submit personal information, such as their bank account or credit card numbers..
- The fraudster uses that information for criminal gain.
One of the most successful schemes which have massively gained in popularity follows a very simple choreography: a victim will be sent a message from a supposed mail carrier, e.g., “FedEx scheduled delivery for parcel number 2374619381 is delayed. Sign in to https://fedx-rescheduleasap.com to reschedule delivery.”
When the victim follows the link, they will see a website that looks very much like they would expect a FedEx official web page to look, where they will be presented with a form for their personal details.
The Increasing Costs of Smishing
Smishing is not just a headache for individuals; it is a huge liability for businesses or targets in firms’ internal operations. No matter how SMS fraud is executed, everyone in the communication flow suffers.
Its consequences are downtime for users, remediation time for IT teams, damage to reputation, business impact due to loss of Intellectual Property, cost to incident response, loss of customers, and potential legal cost.
In other words, while smishing is not generally considered the responsibility of a firm, it does result in massive unavoidable costs in servicing victims and who have been attacked by a smisherman (you read that right, it is a name for cyber criminals whose method is smishing).
Take this attack on OCBC bank in Singapore for example: according to the Business Times, OCBC incurred $13.7 million worth of losses to pay 790 victims who had given their account information away to a smisherman. Wherever the consequences fall, the sender, provider, authorities, and the end recipient must proactively prevent and defend against smishing.
Tips for Enterprises Wanting to Mitigate the Risk of Smishing Attacks
- Increase your security awareness and teach users and partners how to recognise a smishing attack and how to report it.
- At the minimum, send simulated smishing texts to all your employees annually and measure the result to help tweak your security training.
- Implement two-factor authentication in your applications, as this will make it harder for cybercriminals to gain access to your systems even when they have your employee’s username & password.
- Restrict your application access using IP address controls as an additional verification form.
Advanced Smishing Prevention
In times like these, when CGNET reports that global smishing attempts increased by 69%, the responsibility to reduce SMS fraud and avoid ramifications should be a chief priority for anyone in the business of mobile communication.
Soprano recommends two key steps to take today: educate your organization on the present risks and partner with an expert to orchestrate your critical messaging.
Suppose you are considering how to secure your communications better. In that case, Soprano offers a suite of features which help protect our customers and their end message recipients. One such feature is the newly released Fraud Detection and Prevention Service (API), a stand-alone API dedicated to detecting and indicating possible Fraudulent mobile numbers on the platform.
Users can start filtering for fraudulent numbers by setting configurable parameters and in Soprano Connect, which assigns values to three indicators of risk: SIM Swapping, Trusted Network, and Call Forwarding.
These fraud checks may be assigned a scorecard value where the sum of all three values must add to 100. Users can choose to check for all three, two, or a single Fraud type. When this license is purchased, users can (in conjunction with the HTTP API and Connect API SMS) decide whether to send SMS or not based on a predetermined risk threshold configured within the platform.
With this feature in place, users who send sensitive messages (like one-time passwords) can withhold messages from numbers or devices indicating that they might be part of or targets of fraud.
Fraud is an increasingly pervasive issue in mobile communications, and firms have a responsibility to protect themselves and their audiences whenever possible. With the Fraud Detection and Prevention Service API, Soprano offers increased customer protection and proactive defence for their message recipients.
Soprano Design has delivered messaging for financial institutions, hospitals, governments, airports, and other security-conscious industries for 28 years. Our customers’ needs require a higher level of service and delivery because their messages serve critical business purposes.
Additional Security Resources: