Smishing is a form of phishing attack that targets mobile devices. Instead of sending phishing content over email, smishers use SMS or MMS text messages to deliver their messages. As the use of mobile devices for business becomes more common due to remote work and bring your own device (BYOD) policies, smishing has become a growing threat to enterprise cybersecurity.
The popular conception of phishing focuses on email because email was one of the original and most common media for delivering phishing content. However, it is not the only way that phishers can achieve their goals.
Mobile device usage has grown rapidly, and these devices come with an “always on” mentality that is invaluable to phishers. While mobile devices have access to multiple communications channels (email, social media, etc.), text messages have several benefits to phishers.
A text message can carry malicious links or attachments (in the case of MMS) just like an email, enabling them to use the same techniques as phishing emails. However, text messages have some advantages over email such as their limited lengths and increased usage by brands.
For example, in an SMS message, the use of link shortening services is routine, and these services make it difficult to see the target of a link in advance. Additionally, mobile phones don’t allow users to hover over a link to view its destination. Both of these factors make phishing over SMS easier and more effective for attackers
Like traditional email-based phishing attacks, smishing attacks use different pretexts to trick recipients into clicking on a link embedded in the message. Some common pretexts include:
These are some of the most common pretexts that smishers use in their attacks. As mobile device usage grows due to the rise of remote work and BYOD policies, these attacks are becoming more common and sophisticated.
Since smishing attacks are just phishing attacks performed over a different medium, many of the same best practices apply, including:
Never Share MFA Codes: Text messages are commonly used to transmit MFA codes for online accounts, and scammers may pretend that they sent an MFA code to verify a user’s identity. Never provide an MFA code to anyone.
With the rise of remote and hybrid work models and BYOD device policies, mobile devices are becoming a core part of the business and mobile security is more important than ever. This makes smishing attacks a serious threat to companies as well as individuals.
Check Point and Avanan have developed an anti-phishing solution that provides protection across all attack vectors, including for smishing attacks. To learn more about protecting your company’s mobile devices against phishing with Harmony, you’re welcome to request a free demo.