While it might have a funny name, ‘smishing’ is no laughing matter. A shorthand for SMS phishing attacks, smishing refers to a fraud scheme in which would-be cyber criminals send individuals information that urges them to click on a link or download information sent via a text message. Writes the U.S. Secret Service, “fraudsters typically send victims an email or text message that appears to originate from a trusted, legitimate party. The correspondence is designed to redirect to phishing websites, trick into divulging sensitive information, or infect the device with malware.”
It’s tempting to think about smishing attacks only in the context of consumers and consumer behavior. But, smishing attacks also affect businesses. In the Proofpoint 2023 State of the Phish report, 76% of respondents stated their organization had experienced a smishing attack in 2022.
Fortunately, there are some commonsensical protocols for businesses to follow - and most importantly, encourage their employees to follow - if they wish to protect themselves from smishing attacks. We expand on these below.
How might a password manager help guard against smishing attacks? In a nutshell: Password managers enable users to create strong and unique passwords and avoid password reuse across multiple sites. Therefore, even if a cyber-criminal gets ahold of an employee’s password through a successful smishing attack, the damage is hopefully contained to just one account or application.
Here are a few other reasons why enterprise-wide password managers are a must for any business serious about data security and concerned about mitigating the fallout from smishing attacks:
“Cost of a Data Breach 2022”, a study done by IBM and the Ponemon Institute, estimates the average global total cost of data breaches in 2022 was $4.35 million, with the average US cost standing at $9.44 million - and stolen or compromised credentials are often to blame.
In a recent survey of IT decision-makers across various industries, Bitwarden found that 90% of respondents reuse their passwords across at least 1-5 sites.
While SSO is popular, it has limitations. Not all SaaS applications support SSO, which means organizations still have to manage access control through individual logins. A password manager also enables secure sharing across teams and functions.
Password managers help create a security-centric culture across the organization because they are easy to deploy and easy to use, factors that probably make most employees more receptive to them. In the same survey cited above, a large majority (79%) of IT decision makers said they wanted their employer to require employees to use the same password manager across the organization.
While it may seem obvious, it bears repeating. Employees should be encouraged to steer clear of suspicious links. This is worth underscoring because identifying what constitutes ‘suspicious’ can require a keen eye. For example, texts that include a link purporting to be from a certain institution (say, a bank or healthcare provider) may only be off by one or two letters. So, ‘wellsfargo.com’ may show up in a text as ‘welsfargo.com’. To someone in a hurry, there might be temptation to read quickly and click. Employees should be on the lookout for misspellings, poor grammar, and texts from organizations that don’t have a prior history of communicating through SMS.
It’s also worth knowing which organizations cyber criminals are most often posing as. According to the Bitwarden 2023 Password Decisions Survey, close to half (41%) of phishing attacks come from fake financial institutions, followed by bosses or executives (22%) and government entities (21%). A text rife with misspellings from a boss who is a stickler for grammar? A text from the IRS, telling you you’re being investigated for tax fraud? Both are certainly worth a second (and third) look - and while we’re emphasizing this, a reminder that the IRS never communicates via texts.
As the use of AI and sites like ChatGPT continue to increase, users will need to pay even closer attention in order to catch these attacks. The grammar and misspelling signals that have been common in phishing attacks are likely to decrease as bad actors leverage these tools to craft their smishes and phishes.
Call the purported sender to verify the content of an unusual message. Employees who are suspicious about the nature of an SMS should be encouraged to pick up the phone and call the institution that is purportedly sending the text. While it involves an additional step and may take an extra minute or two, the initial minor headache is well-worth the upside of dodging smishing attacks. Remind your employees that the impact of data breaches can be long-lasting and cause financial, legal, and reputational harm.