Without totally neglecting technology and going off-grid to live like a hermit, being subject to some form of phishing or smishing attack is now unavoidable.
Its prevalence has continued to grow. A report released towards the end of 2021 showed that 73% of the UK’s companies suffered data breaches that stemmed from phishing within the past year – quite a startling statistic.
SMS phishing – or rather smishing – is one of the newer approaches to be wary of. Statistics last year show that during the first six months of 2021, smishing reports grew by 700%, compared to the second half of 2020.
The fact is, no matter the size of the name or brand, nobody is safe, as was highlighted by the attack that Royal Mail endured in March 2021, resulting in millions of people being scammed in one single, yet simple, hit.
In this article, we review the steps that anyone can take to better protect themselves from SMS phishing attacks moving forward…
Smishing attacks will continue to rise for a simple reason… because it is easy to do
There are well-known published lists of number ranges that a hacker can go through. However, there is nothing in place to protect against that. There is also the simple tactic of chancing your arm and just guessing an individual’s phone number.
Mobile Networks have number ranges and, from there, a hacker can just make their way up the list. It’s an easy tactic and doesn’t take a lot of effort, especially when the smishing message being pumped out has the potential to resonate with anyone, as we alluded to with the Royal Mail example at the beginning of this article.
More needs to be done to educate employees within businesses about smishing
Right now, smishing is much more a consumer issue than it is a business one. However, it is fully expected that this will change in the future.
And awareness is key here.
Despite how prominent phishing and smishing is, the latest data shows that only one in five businesses deliver phishing training to their employees once per year. A 2020 poll also suggested the following were the top reasons why an employee got sucked into a phishing attempt:
- ‘I was distracted’
- ‘The comms looked legitimate’
- ‘The comms was supposedly from a senior executive at my organisation’
- ‘The comms was supposedly from a respected brand’
The advancements in technology mean phishing can be made to look almost authentic. As part of this article, we’re going to review some of the best forms of smishing protection available, but the truth is that security awareness and recognising the warning signs of phishing and smishing activity is more important.
That can be as simple as asking yourself some of the following questions:
- Is the website I’m clicking through to legit or a lookalike – the URL is often a giveaway for this
- Is the sender who they say they are – one tap of a contact will show whether your sender is who they say they are. Is the email address correct and one you’ve seen before?
- What’s the context of the message – are you expecting comms from the sender, was the comms expected, or is it asking you to do something they ordinarily wouldn’t
Finally, it’s important to report any phishing or smishing attempt. The best location to report a phishing website or text is via the National Cyber Security Centre website.
The Government operates a 7726 text service that enables people to report phishing text messages for free, while Which? launched its own phishing scam reporter tool in March.
Internet security protection on your mobile devices is the single-best protection against smishing
The first place to start is with mobile security apps with web protection modules. The anti virus element is, somewhat, effective on mobile phones, less so on iOS because of how Apple’s operating system is set up, however it’s the overall security features they sometimes offer like web protection that can really help with smishing and phishing
These security apps with web protection, essentially, sit in the background and monitor your internet activity, check the reputation of the links you’re clicking on or DNS requests that you’re making and will flag whether something looks suspicious.
Lookout is a good example of that software. Bitdefender has an app, too. As with all security products, they can’t catch everything but some protection is better than none. These apps can also help against phishing as links clicked in emails will also be checked.
Good account hygiene, like two-factor authentication, is a big part of that. For businesses, they can have a centrally-managed two-factor authentication. We do something called Cisco Duo, which is a great tool for managing 2FA across your business and keeping it streamlined.
While it doesn’t have the same ring to it as phishing, smishing is a very real threat, one that the majority of the world is exposed to.
If you have a way that you can be contacted, then you’re at risk. It’s as simple as that. Without taking yourself off-grid, there is no way of taking yourself out of the loop and being targeted.
While SMS is growing, we can’t discount email. We live in a world where scammers and criminals are using several different tactics depending on the data they’re trying to get, a blend of both SMS and email in a frighteningly convincing way.
As a user, we’re required to have a multi-layered security approach – one that incorporates up to date education but also investment in software across our digital devices to ensure you, your business, or your staff, don’t fall foul of these tactics.