Note: This content is originally published by our partner DGC in their blog, the copyright belongs to DGC.
SMS from unknown senders can cause a lot of damage, especially on smartphones used for business purposes. Attackers often use a method called smishing to do this. We explain how SMS phishing works and show how companies can minimize the risks.
Smishing: How SMS phishing works
Through smishing, hackers gain access to mobile devices such as smartphones and can thus view personal data or company information. Via SMS notification, they tempt their victims to perform certain actions: Click on links, start downloads, or open attachments. This can create an initial gateway through which cybercriminals can gain access to confidential information. Opening a link takes the victim to a manipulated website that either asks for data or refers to a download. Frequently requested information is:
- Personal data such as names and addresses can be used for information theft
- Online credentials such as usernames and passwords, by means of which attackers gain access to data in additional applications
- Financial data that can be resold or enable online fraud
Some smishing attacks are proving to be particularly sophisticated: The use of bots allows cybercriminals to personalize SMS messages by picking up on the recipient’s location, for example. Pretexting is also common: Attackers first call the victim and ask for personal information in order to make the SMS more trustworthy. If comprehensible motives are given for such a call and the victim is reached at a stressful moment – for example, between two meetings – it is easy for confidential data to be disclosed.
To educate employees about the risks and subtleties of practices such as smishing, decision-makers should consistently rely on individual training and workshops. Some service providers offer targeted security awareness training for this purpose, in which the entire workforce is empowered to deal with cyber risks correctly.
Examples of proven smishing attacks
Phishing SMS on service devices has already caused quite a stir in the past. In the fall of 2021, according to the German Federal Office for Information Security (BSI), smishing attackers preferred to resort to two tactics: The SMS contained information about a voice message at hand – or an infection with a malware program. In addition, the attackers built up the pressure by saying that photos or documents secured on the smartphone had been leaked. The attached link enticed the user to download the alleged voicemail or a new virus protection program.
Impact for companies
The latter smishing attacks in particular are unpleasant for recipients: The idea that they could be responsible for a data leak increases the probability of falling for such an SMS. For companies, this can have serious consequences: If malware gets into the company’s internal networks through smishing, it usually takes some time before the IT department becomes aware of it. Enough time for cyber criminals to steal, sell and publish data. This not only leads to financial losses – companies must also reckon with a severe loss of trust on the part of their customers.
How to recognize and protect yourself from a smishing attack
If the malware has penetrated the company network via forged SMS, the effects are difficult to assess. The resulting data leaks must be closed immediately to prevent further damage. Therefore, companies should take the following precautions:
Often, phishing SMS contain signs that indicate the untrustworthy source. These can be:
- The reference to a package delivery or an alleged prize, although users have not ordered anything and have not participated in any sweepstakes – especially not with the on-duty smartphone.
- Spelling and grammatical errors indicate that the message sender does not work for a professional, credible company.
- References to bank notices. However, a bank would seek personal contact, so the finance department should be contacted in such a case.
- The sender can also be an indication for recognizing smishing. Mostly, phishing SMS are sent from unknown numbers, which is why special caution applies here if a link is sent to you. However, it can also happen that a cell phone has been infected by someone you know and is now sending dangerous SMS automatically.
Important safety precautions for companies
With the right measures, companies can reduce the risks of smishing:
- Use VPN: The VPN is a legitimate way to disguise the IP address. Unauthorized people cannot view it and have no access to data such as location or web activity. Phishing SMS can be detected more easily thanks to VPN if they refer to a location because the VPN simulates a false location.
- Multi-factor authentication: With multi-factor authentication, access authorization is verified by several independent characteristics, such as a special PIN, an access card, or a fingerprint. Stealing passwords and user names is thus often no longer sufficient to give cybercriminals the desired success.
- Comprehensive security concept: If companies develop a uniform and comprehensive concept for dealing with threats from the network, for example by using a vulnerability scanner or regularly carrying out pentests, they provide themselves with additional protection. In the event of an attack, it is detected and averted at an early stage.
Ideally, companies rely on a strong partner to increase their IT security precautions. A suitable service provider offers support far beyond security awareness training – with a 360-degree approach to proactively prevent threats from cyber criminals.
Smishing link clicked? Our recommendations for action
In addition to the safety precautions, it is advisable to provide your own staff with concrete recommendations for action in the event of an emergency. These measures can be taken directly by employees to prevent worse:
- Enabling the flight mode will stop sending and receiving further SMS and prevent the malware from communicating with other devices.
- A third-party provider block can be initiated by the mobile network provider. This blocks the payment method via the mobile phone bill.
- Performing vulnerability scans enables companies to identify security gaps as quickly as possible – and thus also prevent data theft or malware intrusion. IT security tools such as cyberscan.io® check the entire IT landscape and detect vulnerabilities as well as existing risks.
Conclusion: Effectively counteract smishing
The effects of smishing can cause major problems for companies. By having attentive and well-trained staff and taking precautions such as a comprehensive IT security concept, companies can effectively counter this type of cyber attack. In particular, IT security training and continuous vulnerability monitoring contribute to effective protection against smishing.