How to Navigate Smishing

What is “Smishing”?

Smishing targets individuals through SMS (short message service). It is a combination of “SMS” and “phishing”. In a smishing attack, cybercriminals can send deceptive text messages to mislead victims into sharing personal/financial information, clicking on malicious links, or downloading harmful software. These messages often appear to be from trusted sources and use tactics to create a sense of urgency, curiosity or fear to manipulate the recipient. Smishing can lead to data theft, financial fraud, malware installation, and other malicious outcomes.

There are 3 types of smishing attacks:

1. Credential phishing – Trying to steal login credentials
2. Malware distribution – Luring victims to download malicious apps/software
3. Financial fraud – Tricking victims into sharing banking/payment info

How is this different from phishing and vishing?

Smishing

• Delivery method: SMS/text messages
• Example: A text message asking recipient to click a link to verify a suspicious bank transaction.

Phishing

• Delivery method: Primarily through email but it can also include websites and social media.
• Example: An email asking the user to reset their passwords due to a security breach, leading to a fake login page.

Vishing (Voice phishing)

• Delivery method: Phone calls
• Example: A fraudulent call from someone falsely claiming to be from the IRS, demanding immediate payment of back taxes and threatening legal consequences.
  ‍

How to Identify and Prevent Smishing as an individual:

• Be cautious of any unsolicited texts, especially those with hyperlinks or requests for sensitive info.
• Avoid unknown numbers or numbers you do not recognize
• Verify the sender before taking any action (ask HR to confirm sender’s number, send a direct message on Slack, Teams, or LinkedIn to the individual to confirm the request)
• Do not send over personal or financial information over text messages

We highly recommend organizations to implement cybersecurity measures such as SMS filtering, multifactor authentication (MFA), and anti-phishing tools. Simulating smishing tests can provide awareness across the team and establish a reporting protocol.

MFA

• 1Password
• Google Authenticator

User Education and Awareness Training

• KnowBe4
• Hook Security
  ‍

Reach out to learn more about what you can do to protect your private information.

‍