OK, we made it through Black Friday….hopefully retail sales
numbers were up for all stores, whether brick and mortar or even just
online. But this just marks the start of
the shopping season, until we hit Christmas Eve. So while a lot of people will be enjoying
shopping, the Cyberattacker will also be frolicking around all of the weak spots
anywhere they can get into.
Interestingly enough, it seems that the trend in Ransomware
attacks have seem to dissipate a little bit (from what I can tell), but now the
uptick will be in Phishing Emails, and even worse, in Smishing Attacks. This is the same thing as the Phishing Email,
but instead you get it by text.
But the cunning thing about this it is really difficult to
tell if it is legitimate or not, because there is no other context in which it
appears in.
Also, if you have a lot of contacts in your address, the tendency
might simply be to just respond to it without looking at it further. And if this does happen, the chances of
getting malware on your Android or iOS device becomes much greater. Consider some of these stats:
*There has been a 270% increase in terms of these kinds of
attacks in 2021 versus 2020;
*Smishing based text messages have an open rate of almost
98%;
*81% of companies in Corporate America, while not directly
targeted, have become victims of Smishing attacks.
All of this and of course much more comes from Proofpoint,
in their end of year report which is entitled “2021 State of The Phish Report”. It can be downloaded at this link:
https://www.proofpoint.com/us/resources/threat-reports/state-of-phish
It is also important to keep in mind that the Cyberattacker
of today is now the most sophisticated than they have ever been before when it
comes to launching Smishing attacks. The
biggest catalyst for this has been the Dark Web. At this level, pretty much anybody can purchase
PII datasets for literally pennies on the dollar, and craft a campaign that looks
totally real.
Heck, the Cyberattacker, can even hire out a firm on the Dark
Web and do it all for them, which is known “as a Service” type of attack. Also remember, when deploying this threat
vector, it is pretty much your mobile device that is targeted.
In a way this is good, because the chances of other things getting
affected are a lot lower (unless they are somehow connected to your Smartphone). But on the flip side, and as just mentioned,
if you click on that link, your wireless device is pretty much done for.
Keep in mind also that Smishing attacks that are predicted
to happen during this holiday season are pretty much financially motivated. Although there is the interest to capture your
username and password, all the Cyberattacker wants to do is get your money and
wire it off to some offshore account. Thus,
here are some of the key things to look out for:
*Most of these attacks involve getting a fake delivery package
notice. This is really more of a Social Engineering
type of variant, as it pries on your emotions of surprise to respond to
it. Heck, I have started to get these,
and I just simply delete them.
*Some of these Smishing messages can also route you to fake
a website where you are prompted to make a payment with your credit card if you
want expedited delivery service to your home address. Obviously, telling a real website from a fake
on a Smartphone can be very difficult, because obviously the size is much
smaller than versus a laptop. At least
for me, when I see a website on my iOS device, only the actual domain comes up,
not the entire directory structure of it.
That makes it even more difficult to tell, also.
*Another variant of the Smishing attack is receiving a text
message that you are eligible to receive a free gift or even free products if
you fill out a survey, by clicking on the link.
This will of course take you to that spoofed website, and have you enter
in your username and password to take you to the survey, which of course, is nonexistent.
In this regard, companies in Corporate America need to pay
very careful attention to the Smartphones that they issue out. For example, it should be only used for work related
purposes. Employees should be reminded
constantly that their work phone is not meant for personal uses.
If possible, they should as much as possible refrain from
giving out their mobile work number. The
primary reason for this is that these company issues devices are also prone to
Smishing attacks, and if one is opened, any corporate information and data that
is stored in them could be easily heisted.
Unfortunately though, the reality is that the technology to discriminate
a real text message from a fake one is not there yet. For instance, it is only that my carrier, Verizon,
has taken steps to identify a Spam phone call or not.
So if an unrecognized number comes through on my iOS device,
it will appear as “Spam Call”. But given
how quickly people are more concerned with the latest and greatest tools that are
coming out, security still seems to be at the bottom of the rung.
My Thoughts On This:
The bottom line is that no matter how much security training
one may receive, and all of the security features they have on their wireless
device, we all are prone to falling victim to a Smishing attack much more so
than a Phishing attack. The reason for this
is twofold:
*The issue of Smishing attacks has not really been fully
acknowledged by either Corporate America or even the wireless carriers
themselves;
*We live in a hurried and fast paced world. We feel the natural urge to respond as fast
as possible, especially when we know are receiving a surprise package,
especially during this time of the year.
So you know what the best line of defense is? Take your time to go through all of your text
messages. Read all of them, and if any
of them do not look familiar, just simply delete them, like I do. In this instance, it is best not to even call
to see if it was a legitimate text message, as you can quickly become a victim fo
Robocalls in this instance.
If it is important enough, the sender can always call you
and even send you and email. When it
comes to receiving packages, always sign up for both text and email alerts
through the courier. It is free, and by
getting two or more messages, you will have some confirmation that it is a real
message. During these times of giving,
it is important to give, but make sure it is to the right person, not the
Cyberattacker.
No comments:
Post a Comment