Saturday, November 27, 2021

How To Avoid A Smishing Attack: 6 Golden Rules

 


OK, we made it through Black Friday….hopefully retail sales numbers were up for all stores, whether brick and mortar or even just online.  But this just marks the start of the shopping season, until we hit Christmas Eve.  So while a lot of people will be enjoying shopping, the Cyberattacker will also be frolicking around all of the weak spots anywhere they can get into.

Interestingly enough, it seems that the trend in Ransomware attacks have seem to dissipate a little bit (from what I can tell), but now the uptick will be in Phishing Emails, and even worse, in Smishing Attacks.  This is the same thing as the Phishing Email, but instead you get it by text. 

But the cunning thing about this it is really difficult to tell if it is legitimate or not, because there is no other context in which it appears in.

Also, if you have a lot of contacts in your address, the tendency might simply be to just respond to it without looking at it further.  And if this does happen, the chances of getting malware on your Android or iOS device becomes much greater.  Consider some of these stats:

*There has been a 270% increase in terms of these kinds of attacks in 2021 versus 2020;

*Smishing based text messages have an open rate of almost 98%;

*81% of companies in Corporate America, while not directly targeted, have become victims of Smishing attacks.

All of this and of course much more comes from Proofpoint, in their end of year report which is entitled “2021 State of The Phish Report”.  It can be downloaded at this link:

https://www.proofpoint.com/us/resources/threat-reports/state-of-phish

It is also important to keep in mind that the Cyberattacker of today is now the most sophisticated than they have ever been before when it comes to launching Smishing attacks.  The biggest catalyst for this has been the Dark Web.  At this level, pretty much anybody can purchase PII datasets for literally pennies on the dollar, and craft a campaign that looks totally real.

Heck, the Cyberattacker, can even hire out a firm on the Dark Web and do it all for them, which is known “as a Service” type of attack.  Also remember, when deploying this threat vector, it is pretty much your mobile device that is targeted. 

In a way this is good, because the chances of other things getting affected are a lot lower (unless they are somehow connected to your Smartphone).  But on the flip side, and as just mentioned, if you click on that link, your wireless device is pretty much done for.

Keep in mind also that Smishing attacks that are predicted to happen during this holiday season are pretty much financially motivated.  Although there is the interest to capture your username and password, all the Cyberattacker wants to do is get your money and wire it off to some offshore account.  Thus, here are some of the key things to look out for:

*Most of these attacks involve getting a fake delivery package notice.  This is really more of a Social Engineering type of variant, as it pries on your emotions of surprise to respond to it.  Heck, I have started to get these, and I just simply delete them. 

*Some of these Smishing messages can also route you to fake a website where you are prompted to make a payment with your credit card if you want expedited delivery service to your home address.  Obviously, telling a real website from a fake on a Smartphone can be very difficult, because obviously the size is much smaller than versus a laptop.  At least for me, when I see a website on my iOS device, only the actual domain comes up, not the entire directory structure of it.  That makes it even more difficult to tell, also.

*Another variant of the Smishing attack is receiving a text message that you are eligible to receive a free gift or even free products if you fill out a survey, by clicking on the link.  This will of course take you to that spoofed website, and have you enter in your username and password to take you to the survey, which of course, is nonexistent.

In this regard, companies in Corporate America need to pay very careful attention to the Smartphones that they issue out.  For example, it should be only used for work related purposes.  Employees should be reminded constantly that their work phone is not meant for personal uses. 

If possible, they should as much as possible refrain from giving out their mobile work number.  The primary reason for this is that these company issues devices are also prone to Smishing attacks, and if one is opened, any corporate information and data that is stored in them could be easily heisted.

Unfortunately though, the reality is that the technology to discriminate a real text message from a fake one is not there yet.  For instance, it is only that my carrier, Verizon, has taken steps to identify a Spam phone call or not. 

So if an unrecognized number comes through on my iOS device, it will appear as “Spam Call”.  But given how quickly people are more concerned with the latest and greatest tools that are coming out, security still seems to be at the bottom of the rung.

My Thoughts On This:

The bottom line is that no matter how much security training one may receive, and all of the security features they have on their wireless device, we all are prone to falling victim to a Smishing attack much more so than a Phishing attack.  The reason for this is twofold:

*The issue of Smishing attacks has not really been fully acknowledged by either Corporate America or even the wireless carriers themselves;

*We live in a hurried and fast paced world.  We feel the natural urge to respond as fast as possible, especially when we know are receiving a surprise package, especially during this time of the year.

So you know what the best line of defense is?  Take your time to go through all of your text messages.  Read all of them, and if any of them do not look familiar, just simply delete them, like I do.  In this instance, it is best not to even call to see if it was a legitimate text message, as you can quickly become a victim fo Robocalls in this instance.

If it is important enough, the sender can always call you and even send you and email.  When it comes to receiving packages, always sign up for both text and email alerts through the courier.  It is free, and by getting two or more messages, you will have some confirmation that it is a real message.  During these times of giving, it is important to give, but make sure it is to the right person, not the Cyberattacker.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...