Phishing is dead, long live smishing

In fact, the title of this post is misleading, phishing is unfortunately far from being dead and buried. Cybercriminals continue to use all sorts of tricks to get their victims to click on malicious links or malware. A recent study by OpenText into phishing/scam emails and cyber resilience in Germany found that 79 percent of office employees open emails from unknown senders without thinking twice. The results also show that 28 percent of the respondents were victims of a phishing attack at least once in the last twelve months. Can it get any worse? Unfortunately, it doesn’t look good as “smishing” is heading our way.

Attackers are using mobile communication channels such as WhatsApp or SMS to contact their victims more frequently, thanks to the smartphone. This attack vector has become known as smishing – a combination of SMS and phishing. As many employees are currently working from home, they are also using mobile devices more than ever before. Many jobs these days do not need much more than a company smartphone and laptop. Even production processes are also increasingly being controlled by mobile devices which opens up completely new possibilities for hackers to access company data, aside from phishing. These changes mean that mobile devices now provide an optimal gateway into secure networks. Smishing covers all attempts at fraud via SMS, WhatsApp and other messenger services that criminals use to attempt to spread malware or tap sensitive data.

Even if it doesn’t really seem like it according to the study cited above, at least some users are still aware of the dangers of phishing emails. Many have learned not to click automatically and inspect messages carefully and think for a moment before doing something they might end up regretting. However, this probably only applies to e-mails on the PC or larger mobile devices. When phones buzz with a new notification, many people throw caution to the wind and forget these best practices. Smishing is a new phenomenon, which is why potential victims run the risk of clicking on a link that leads to a fake website that looks deceptively real. This is exactly what makes mobile devices a popular target for hackers. Although these cases are not yet recorded separately in the statistics, Google Trends 2020 shows a huge increase in searches for smishing.

In addition, phishing attacks have become more sophisticated in recent years, leading to the great success of these attacks. Fake SMS are almost exact copies of messages from well-known companies and can easily fool recipients into taking them seriously. For example, messages that claim to come from a shipping company that contain a fraudulent tracking link. Smishing is likely to become a very lucrative concept for cybercriminals.

Of course, smishing attacks are basically nothing more than phishing and everyone should really be familiar with how to avoid falling victim to these attacks by now. Mobile devices and communication channels such as WhatsApp are just as vulnerable to attack as using a computer. In addition to technical safeguards such as SMS blockers, IT security managers should include smishing in their security awareness training. But that alone is not enough. As always, it is crucial to extend security concepts to cover all devices and assets in the company and  to limit infection to the smallest possible area via measures such as Least Privilege and Zero Trust.