What Is Smishing and How Can I Protect My Business Against It?

According to the FBI's 2020 Internet Crime Report, phishing, smishing and vishing rank first among types of cybercrime. Together, they have caused around $54 million in damage in 2020 alone – clearly showing that these cybercrime methods are still very relevant today, despite increased awareness of them.

Smishing is a word formed by the bringing together of "SMS" and "phishing". Attackers deliberately use SMS or messenger apps to send harmful messages and to cause damage.

What makes smishing so dangerous is the lower level of awareness among the public of this issue. When it comes to phishing – where criminals attack via email – the level of awareness among the population is significantly higher. Smishing is a different story. Text messages to smartphones are often handled more carelessly, which offers cybercriminals completely new opportunities to obtain sensitive data from victims.

Furthermore, it is now easier for criminals to obtain phone numbers than email addresses: Where telephone numbers are fixed in their length, email addresses can vary significantly in length and contain not only letters but also numbers and special characters. This means that there are fewer possibilities for variation with telephone numbers. Attackers can thus send a multitude of text messages to any combination of numbers.

Smishing appears in many different forms, making it difficult for potential victims to recognise potentially dangerous text messages. The attackers' goal is always to obtain personal data or to compromise the smartphone. As with phishing, there are several common types of smishing messages that we often see. The following examples appear particularly frequently:

• SMS from a supposedly trustworthy source.
  Such text messages are disguised in such a way that it looks as if the message comes from your bank, insurance company or similar sources. Hackers usually pose as employees and ask you to click a link because of a problem. They often demand a quick response to fix the apparent problem.
• SMS from a network operator.
  Phishing SMS messages that appear to come from the network company are becoming increasingly popular. They advertise discount campaigns or offers for an upgrade. Once again, the user is supposed to click on a link that directs them to a replica website of the network operator. Here, the victim will be required to fill out their personal data, such as an address or credit card number.
• Phishing SMS from charitable organisations.
  In this instance, hackers seek to appeal to the good in people: The text message apparently comes from a charity organisation asking for immediate assistance with an emergency or disaster. Here, too, a link is attached that leads to a website where credit card details and other personal data are requested.
• Text messages in messenger apps.
  Phishing text messages in messenger apps such as WhatsApp or Telegram are becoming increasingly popular. Here, for example, chain letters are circulated that advertise discounts or vouchers for popular shops. These messages are particularly dangerous because they are forwarded to the victims by friends and acquaintances. Since these people are considered trustworthy by the recipients, the victims usually click on the link without thinking and provide their personal data without giving it much thought.

Education is the best solution to help prevent successful smishing attacks. We will explain more about this shortly. But what if such a link has already been clicked on a company smartphone?

• Switch on flight mode.
  This takes the mobile phone off the mobile network, and it can no longer communicate with other devices or the Trojan itself.
• Contacting the mobile phone provider.
  The incident should be explained in detail. The mobile phone provider can set up a third-party block to prevent payments from being made via the mobile phone bill.
• Check bank accounts.
  If a credit card or bank details were deposited in the smishing attack, the account should be checked for possible charges. It is advisable to block the credit card for the time being.
• File a report.
  File a criminal complaint at the local police station – the smartphone should be brought along as evidence.
• Reset the smartphone.
  The last step is to reset the smartphone to factory settings to remove all malware. Photos and data can be backed up externally in advance.

The best protection within any company or organisation is a good education on the subject. Any kind of phishing or smishing can only cause damage if employees fall into the trap of fraudsters. The goal should be to ensure awareness of possible risks. The following simple tips can go a long way to help better protect your company:

1. Use access controls
   Every person in a company rarely needs access to all of the data within the company. Limiting access to specific areas can reduce potential risks from smishing. Websites can also be restricted on company computers.
2. Point out risks
   You can provide regular information about the risks in the company and point out potential pitfalls to your employees. This way, you can also educate them on recognising such text messages and other attacks, such as phishing.
3. Establish BYOD policies
   If your employees are allowed to bring their own smartphones into the company, it is advisable to set up so-called BYOD guidelines (BYOD = "bring your own device"). This can regulate what employees are allowed to do with their personal smartphones during working hours.
4. Training for cybercrime
   Although cybercrime has been around for a long time and can affect almost everyone, few people are sufficiently educated on the subject. Appropriate training helps your employees to recognise possible dangers quickly. With a good level of knowledge among your employees, you have the best protection against smishing attacks.

Our Phishing Attack Simulator allows you and your employees the opportunity to simulate smishing attacks. These simulations recreate realistic attacks and help highlight the dangers – conducted within a safe environment – and leads to a heightened awareness of possible risks among your employees.