If phishing was an animal, it would probably be a cameleon. Phishing via email or text message (SMS), by phone, sent in large volumes or through targeted, spear-phishing attacks…
Phishing can definitely take on multiple shapes !
And in our case, phishing through text message or SMS is called SMishing. And it’s on the rise.
The good news in all this? It’s possible to decrease the risk of falling for a phishing attack by understanding what the hackers are doing, and how. This is the goal of this article.
SMishing is a kind of phishing attack. In a SMishing attack, hackers use the text message channel to lead their target into taking action: clicking on fraudulous links and providing confidential information (credentials, banking information, one-time passwords…), downloading malware, giving permission to third party apps…
By conducting these attacks via SMS, hackers have the same goals as in a phishing attack: either to obtain information in order to exploit it (by reselling it or using it in an attack) or to use the action (like downloading a malware) a a step in their attack.
There are numerous phishing examples. Below, you can find some of them.
Phishing attacks via text message are increasingly used by hackers (some studies have shown that as many as 7 out of 10 people could have received smishing attacks in 2021). For them, SMishing represent an effective attack vector.
According to a French research center, text messages are read 95% of the time, much higher than for emails.
The speed with which we consult are text messages is also interesting for hackers: 92% of marketing text messages are read within 4 minutes after they’ve been received.
This is another advantage for hackers: curiosity seems to be higher (or at the very least reaction to messages) on a phone than on a computer. We’re three times more likely to click on the link contained in a message on our phone than on a computer.
This is now common knowledge: hackers (like all fraudsters in fact), rely on psychological triggers (social engineering) in order to incite their targets into clicking a link and taking action afterwards.
What are the triggers used in SMishing attacks? Here are a few of the main ones used:
Confronted with these different psychological triggers, the human mind needs to be particularly vigilant to avoid falling into the temptation to click on a link.
Phishing text messages often contain a link through which hackers can trick their targets and conduct their attacks. This link is often hidden through the use of URL shorteners (Bitly, TinyURL) in order to make it harder to analyze by the reader.
From a technical perspective, this is called “link obfuscation” because the final address is hidden behind meaningless characters.
And if the link is going to be completely visible, hackers will be sure to use a look-alike name or website, by changing a few characters or masking the domain to pass for a legitimate business.
For hackers, SMishing is most often only the first step. It can be used as a means to gain initial access and deploy malware. In these cases, the victim receives a text message with a link. Click the link will install malware on the phone, which can then be used to harvest credentials or banking information, passwords, contacts, messages… etc. FluBot is an example of such malware.
Another use case is the reliance on SMishing in support of Business Email Compromise attacks. In these cases, a message which seems to come from an executive (CEO SMishing)or from a specific person from a company to ask for a money transfer or the communication of confidential information.
Initially deployed via email, these Business Email Compromise attacks can now be sent via text message. This was, for example, the case in a 2022 cyberattack on Uber. After stealing the credentials of an employee of the company, a hacker impersonated Uber’s IT service and contacted the target via Whatsapp in order to get them to validated multi-factor authentication requests, enabling the hackers to gain access to their account.
Finally, SMishing can be an integral step to the bypassing of multi-factor authentication: hackers will initiate a connection (just like in the Uber hack) with credentials but will send a social engineering text message to obtain the one-time password received by the target, and thereby access their account.
From a technical standpoint, companies can deploy security solutions for mobile endpoints. Their goal: to protect their employee’s professional phones, through certain functionalities.
These include using a mobile endpoint management solution, forcing updates to user’s phones (OS and app updates), limiting installation of applications and keeping an eye out for suspicious behavior, with the ability to revoke mobile accesses.
This being said, even the best technical solutions will never be 100% foolproof, especially when human vulnerability is exploited. Some (if not most, when well crafted) attacks will always get through to their targets.
Phishing text messages are harmless as long as the user doesn’t click on the links or doesn’t answer them. The best way to reinforce a company’s protection against SMishing attacks is to take on steps that tackle their human aspect.
Protection against SMishing attacks is within reach of most users, regardless of their digital maturity, and can be summarized in a few words: reflexes, vigilance, common sense. For example:
It’s much more difficult to fight against something that you don’t know or understand. The best way to raise awareness among your teams about the threat of SMishing is to teach them about this attack vector: analyze real SMishing examples, highlight which psychological tricks hackers use (and are therefore tell-tale signs of a potential attack), what the consequences for them, their colleagues and their company could be…
It might be a good idea to include some SMishing scenarios in your phishing simulation campaigns. There’s nothing like some real-life condition exposition to attacks to see how your employees would react (and how they can improve).
A quick look at how hackers can exploit the PDF format to deliver malware.