(This article originally appeared in The Guardian)
You’ve heard of ransomware? Now you’ve got to worry about “smishing”.
Smishing is a relatively new form of cyberattack that’s threatening millions of consumers and small businesses around the world. Smishing is a form of “phishing” using SMS or text messages instead of email messages to entice recipients to click on phoney links that draws them to sites where either personal information is exchanged or malware is unknowingly downloaded.
Many of my smaller clients and their employees have already seen these messages on their mobile phones. They usually come in the form of a text that appears to come from a bank, a utility company, a government agency (such as the IRS), a delivery service or some other seemingly credible source. Fake messages related to Covid testing and contact tracing have also contributed to the rise in this activity.
These messages sometimes ask the recipient to confirm payment information or other financial details. Or recipients are asked to click on a link or respond to a question. This kind of activity also alerts the hacker that the phone number is credible and active, which then opens them up to receiving malware or compromising their personal information.
How big a problem is this? In 2020, according to the FBI, this new form of attack cost Americans more than $50m, and those costs are expected to rise significantly. Cybersecurity company Proofpoint says that mobile phishing attacks in North America increased more than 300% in the third quarter of 2020 when compared with the second quarter. UK consumers have seen a seven-fold increase in smishing attacks just this year alone.
Already, the rising threat is catching the attention of corporate IT executives, mainly because of the ease with which these scams can be carried out through employees’ smartphones. “It’s far easier to block email phishing on corporate-owned PCs, but today’s remote workers are now using their personal devices to access corporate apps and data,” writes Phil Richards, the chief security officer at security software firm Ivanti. “And frankly, there’s just no easy way to verify the authenticity of URLs on smartphones, so users often just click and hope for the best.”
The best way to counter these attacks is to simply be more aware. While corporations such as banks and delivery services may send text messages from time to time, they’ll almost never require customers to respond with personal information.
“No legitimate company, government agency or organization is going to ask for data even if they sent you a text message or email,” a representative from the Better Business Bureau told a Fort Myers, Florida, TV Station. “So, they create this alert to act now, something’s wrong, oh my gosh there’s a problem with my account. People will click on it. They’re not thinking and then they’ll provide the information when it’s asked of them.” The FBI has warned people not to click links in text messages, and if you think you or your business was the target of a smishing scam to file a report at ic3.gov.
If you’re running a small business here’s my advice: step up the training of your employees. Use an outside IT firm or online products that test for security awareness like KnowBe4 and PhishLabs. Make sure your people can recognize suspicious messages. And frequently review your bank accounts to make sure there’s no unexpected activity. In the end, business owners will need to rely on the common sense of their employees to notice these kinds of scams and avoid them.
“That’s the best thing,” Amanda Williams, vice-president of payment and remote services at GECU, a credit union based in Texas, said in another report. “If it doesn’t seem right, more than likely it’s fraud.”