You've Heard About Phishing -- But How About Smishing?
Email snoozing, nudging, and confidential mode, along with a substantial visual redesign have enhanced the world’s most popular email service, Gmail, in a massive overhaul. What’s behind the changes? An effort to make working with email safer and more productive -- both top priorities for businesses encountering phishing schemes.
With cyber criminals constantly on the prowl to gather as much damaging information as possible, it’s encouraging that Google has completed a security redesign that narrows in on today’s threat landscape. Improvements aside, while it seems like the tech giant runs our world, Google hasn’t monopolized the corporate email market yet. Even if they had, we still wouldn’t be safe from nefarious actors.
Our greatest weakness is that we are all human and make mistakes. And when we’re referring to email, the conversation always revolves around phishing exploiting employees’ willingness to click on tainted links. A recent publication on the US utility network being controlled by Russian hackers, mentions “and some companies may not even know they've been compromised as the attacks relied on the credentials of actual employees, making intrusions harder to identify.” Phishing may have been the way in.
Google understands the “humanness” flaw and has chosen to pad our shortcomings with machine-learning algorithms that run safety checks on every new message received. Now, instead of basic banners, users will see huge color-coded alerts if Gmail detects potentially malicious or fraudulent messages.
Machine Learning Isn’t Going to Save You from Smishing
When you read about security vulnerabilities, it’s practically never good news, and this blog is no exception. While enterprises are struggling to manage phishing schemes, it’s not the only way into the corporate network. Bad actors are adding in a layer of deception by targeting short message service (SMS, better known as text messaging) to gain access to passwords and credentials. Dubbed as “SMiShing” short for SMS phishing, the emerging threat of smishing has risen 85 percent year-over-year since 2011, putting mobile workforces in the line of fire.
What Makes Smishing So Dangerous?
Firewalls and endpoint security solutions are among the layers of defense offered to thwart traditional email-based phishing attacks. For mobile attacks, where devices are connected outside of the security perimeter, those cybersecurity measures aren’t available to strengthen an organization’s security posture.
Not only are there less protections, but users are also more vulnerable because:
Exchanges of shortened URLs are more common, making it difficult to detect a phony url
They are often distracted as they are working on the go
On a mobile device they cannot hover over a URL to verify the destination before clicking
There are many modes of entry, including, malicious URLs in a browser window, applications connected to malicious ad networks, and dangerous links within SMS messages.
Following our humanness, credentials are typically the next weakest link and contribute to the dangers of phishing. To protect, two-factor authentication (2FA) is often employed to verify a user’s identity before allowing access. In fact most enterprises, including Google and Apple, already use 2FA. But when using SMS as an authentication step, it can become yet another vulnerability and should involve other forms multi-factor authentication (MFA) to ensure that only the real user has access. Cyber criminals that can gain either physical or virtual access have the ability to forward on a SMS security code to masquerade as the employee.
Real-world scenarios of smishing can come in all forms. One popular tactic begins with a nefarious actor sending messages to a mobile device designed to look like real SMS’s from the email provider. Within one of the messages the so called “email provider” would say they need to verify the account and include a link to a page where the user is prompted to enter their username and password. From there, the credentials pass on to the real login page and an SMS is sent with a verification code. Since the hacker already has access, the process repeats with the fake login page to capture the code, and then onto the legitimate site.
Don’t Let Your Workforce’s Digital Identities Be Compromised
It’s likely that SMS 2FA will start fizzling out over the next couple of years given its inability to verify identity, but that won’t slow down attacks. Cyber criminals are continually advancing their tactics to sustain phishing and smishing as perilous threats to the enterprise network and its sensitive data.
For now apply the following basic rules
Do not submit any personal details when requested to do so via text message
Delete any suspicious messages without opening links
Do not give out any personal information to anyone claiming to be texting or calling from an unknown number.
Contact your IT department if you think you may have received a smishing message - share the attack to raise awareness
To prepare for the fight, organizations cannot focus on just the humanness factor or weak credentials that ease entry for the perpetrators of phishing schemes -- there must be a more comprehensive approach.
At Edgeworx, we work with our customers to safeguard their businesses for the onslaught of fraudulent messages. Our defense-in-depth strategy educates, tests end users through automated attack simulations and company tailored phishing campaigns, offers additional security awareness training where needed, and delivers actionable reporting metrics. If you are ready to foster a culture of positive security awareness and protect your sensitive data, contact an Edgeworx security specialist today at +1.647.793.4731.