Is Smishing the New Backdoor?

Scammers are adding smishing attacks to their arsenal and for good reason, the open rate for text messages is an alarming 98%. So, what exactly is smishing?

Dark Reading Staff, Dark Reading

March 9, 2020

4 Min Read
Dark Reading logo in a gray background | Dark Reading

What Is Smishing?
Smishing is a combination of the words SMS and phishing and is a type of social engineering attack orchestrated to obtain personal information such as credit card details, banking info, Social Security details, or passwords.

Smishing differs from traditional phishing attacks in that it targets text messages instead of emails. Smishing attacks happen more often than you may think. In 2019, 84% of infosec professionals reported that their organization experienced a smishing attack.

More recently, Amazon customers reported texts that they genuinely believed were sent out from FedEx, asking them to set up delivery preferences for receiving packages, complete with a bogus tracking code. When the unsuspecting victims clicked on the link, they were asked to enter their Amazon credentials, which were then harvested by the scammers.

Hackers are always on the lookout for new techniques, particularly on mobile devices that are notoriously unsecured. SMS messages make perfect targets since they appear more personal and are trickier to detect.  

How Smishing Works  
Scammers pose as banks or online retailers sending you a "legit-looking" text message that creates a sense of urgency, asking you to update your account or information because it might be "compromised."

Once you click on the embedded text link, you will then be redirected to a page that is nearly identical to your bank's website or other trusted sites that appear familiar to you.

Hackers use this technique to obtain sensitive information such as credentials, credit card info or Social Security details, or to deploy the latest malware on your smartphone.  

SMS Phishing Attacks — The New Foothold into Corporate Wi-Fi Networks
Organizations are at high risk from smishing attacks due to employees that have BYOD or Bring Your Own Device, policies. Since BYOD devices aren't strictly controlled by an organization, company information can become vulnerable to malicious attacks.

What's even more troubling is that they might not even be aware of it until it's too late.  

Here's how it works.  

Smishing provides hackers a way to bypass the security controls of a secured infrastructure by targeting a connected mobile device of an employee or guest. A weaponized SMS can compromise the mobile device providing the initial foothold into the corporate Wi-Fi and giving the hacker total control of the device.

The next step of the attack would be to move laterally to a corporate endpoint, completely bypassing perimeter security controls.

Once inside the network, hackers can steal sensitive company information and trade secrets, capture user ID and passwords, or infect the network with ransomware and a plethora of worms. The end results can be crippling to an organization, especially when the breach goes public.  

How to Protect Yourself from Smishing Attacks
Endpoint security controls are considered the last bastion or layer of defense, so you need to be sure that they are working at full effectiveness against infection and lateral movement. Testing endpoint security controls must be continuous vis-à-vis new attack tactics and techniques.

And given the fact that the open rate for a text message is an alarming 98%, it should come as no surprise that this simple point of entry will become the next backdoor into a corporate network.

We have already seen how hackers stole a casino's database from a connected thermometer in a fish tank, so why not through a BYOD phone? That said, here are a few additional ways to minimize the risks of a smishing attack:

Security Controls

  • Place security controls between guest and BYOD Wi-Fi networks and the corporate Wi-Fi and LAN.

  • Make sure your endpoint security settings are continuously up to date.

  • Set up an effective and continuous endpoint security assessment program to ensure that the settings are operating at maximum efficacy.

  • Deploy mobile security management solutions where possible.

Employee Education

  • Never click on links from anyone you don't know or trust.

  • Never install software promoted via text message.

  • Think twice before sharing credentials and other sensitive information.

  • Don't open messages that appear spammy and be wary of words such as "Congratulations" or "Urgent" and "Free." If it sounds too good to be true, it's most likely a smishing attack. 

Endpoint Security Assessment
Read more about how Cymulate's comprehensive endpoint security assessment checks that your systems and apps are properly tuned to defend against signature and behavior-based attacks.

Cymulate also provides you with a risk score and detailed report showing exactly where and how your company is exposed with directions for closing security gaps using your existing security controls.

About the Author: Avihai Ben-Yossef, Co-Founder & CTO, Cymulate
Avihai Ben-Yossef is the co-founder and CTO of Cymulate. At age 26, Avihai and co-founder Eyal Wachsman established Cymulate in 2016 to transform security testing for companies. Ben-Yossef has been recognized by Forbes Israel 30 under 30.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights