You may have been the victim of an SMS-based phishing, or smishing, attack if you’ve ever received a text message that claimed there was a problem with one of your accounts and asked you to click on a link to resolve the issue. Smishing is one of the easiest ways for hackers to steal your data because you’re literally giving it to them.
Many people now spend most of their waking hours on their phones, which is one of the main reasons for the dramatic rise in these attacks over the last few years. As a result, law enforcement agencies and telecommunications companies are actively developing countermeasures against smishing.
Phishing is a type of cyber attack in which the attacker sends an email message designed to trick the victim into disclosing sensitive information or deploying malware on the victim’s computer. They often use fraudulent, or spoofed, websites to make it appear as if the email came from someone the victim has reason to trust, typically a bank or online retailer. Phishing attacks have become increasingly sophisticated, often allowing the attacker to observe the victims’ actions on the spoofed website and further compromise their security. Phishing is by far the most common type of cyber attack as of 2020, with more than twice as many attacks as any other type of computer crime, according to the FBI’s Internet Crime Complaint Centre (IC3).
Other cyber attacks are conceptually similar to phishing, although they may differ in their implementation. For example, smishing uses SMS rather than email to deliver a fraudulent message that invites the victim to perform some action such as clicking a link, sending an email reply or calling a phone number. The message also asks the victim to disclose personal information such as the security credentials for a website or online service that the victim is currently receiving. It can be particularly difficult to identify spoofed logon pages on a mobile phone since its small display size can prevent you from seeing the entire URL.
Current Trends
The term “smishing” was coined in 2006, but it remained a fairly obscure form of attack compared to phishing until 2020. Proofpoint reports that smishing attacks increased by 328 percent in mid-2020, largely as a result of the COVID-19 pandemic. Government agencies began sending SMS messages on a large scale to provide COVID-related information such as contact tracing, lockdowns and vaccination options. This response to the pandemic created an ideal environment for smishing, since many people now had a strong incentive to read SMS messages and follow their instructions. NextCaller reports that 44 percent of Americans experienced an increase in the scam text messages during the first two weeks of the nationwide quarantine.
Financial Losses
The IC3 reports that over 240,000 people were victims of phishing and related attacks in 2020. The reported losses from these attacks over $54 million, as compared only $7 million in losses from malware such as viruses. The European Payments Council reports that the total losses from phishing type attacks in the European Union (EU) were $26 billion between June 2016 and July 2019.
Protection
Government agencies and private businesses are currently scrambling to keep up with the millions of smishing messages that hackers send on a daily basis. However, mobile users have many options for protecting themselves from these attacks.
The effectiveness of smishing attacks is largely due to the fact that mobile users are accustomed to receiving legitimate text messages, many of which inform the recipient of suspicious account activity. It’s therefore critical to verify the sender of these messages before taking any action through SMS. For example, if you receive a message purporting to be from your bank, you should always contact your bank directly to ensure they sent you the message before following any of its instructions.
Today’s guest post is by a friend and professional peer of mine, Tony Chiappetta, owner of CHIPS.
CHIPS is a Technology Success Provider located in Shoreview, MN near the intersection of Highway 96 and Lexington. Since 2001, CHIPS has been working with businesses to help them get the most from their technology investment.
Tony has been around technology all his life and holds numerous industry certifications. With the completion of both a Law Enforcement and a Business Management Degree, Tony brings a business perspective to the technology landscape. This has allowed CHIPS to lead the industry by bringing enterprise solutions down to the Small Business sector.
CHIPS has received many industry awards and accredations however, Tony is most proud that his team has been asked to help secure the Critical Infrastructure of the Twin Cities by bringing to market a proven technology that was previously only available to Federal Government Agencies. You can follow Tony on the CHIPS blog.
Text Messaging flickr photo by wuestenigel shared under a Creative Commons (BY) license
Share
DEC
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com