Bleeping Computer has recently shared a report that a PayPal smishing campaign is trying to trick users into giving up their account credentials and other sensitive information. The campaign is imitating PayPal to send the SMS texts to the users stating that their account has been permanently limited and services like sending, receiving or withdrawing money have been restricted. It prompts the users to verify their account by clicking on the given link if they wish these services to be resumed.
The users who click on the embedded link are redirected to a phishing page resembling PayPal’s login portal that asks them to enter their credentials for logging into their account. Those users who give up their credentials are taken to another phishing page that attempts to collect further personal information like their name, address, date of birth and bank account details. All this information is harvested by the threat actors and is used to launch targeted spear-phishing attacks, conduct identity theft or gain access to other accounts.
As per a report by Statista, mobile devices account for almost half of the entire web traffic worldwide. In Q3 2020, mobile devices (excluding tablets) generated 50.81% of global website traffic.
Being so widely used around the globe, text messages have become quite an attractive attack vector for cyber criminals.
Why has Smishing Become Popular Amongst Cyber Criminals?
Phishing in all its forms has always been one of the most prevalent cyber threats. Even though email is still the most popular phishing attack vector amongst cyber criminals, launching phishing attacks via SMS allows threat actors to exploit the intimate relationships people have with their phones.
According to Gartner, 98% of all the text messages are read and 45% are responded to. Moreover, according to eMarketer, the average US adult spent an additional 23 minutes per day on their smartphones in 2020 as compared to 2019. Messaging, in particular, rose by 4 minutes.
How to Defend Your Organization and Employees Against Smishing?
Smishing is becoming increasingly popular, making it extremely important to take the necessary precautions to protect your organization and employees against this threat. So here are some basic preventive measures you can take to shield your company from this cyber threat.
- Since it can just take one employee to compromise your entire organization, it imperative to educate each and every member of your staff about the threat of smishing. Generate awareness amongst your employees and ask them to treat any text messages containing links as suspicious. Try ThreatCop to provide your employees with comprehensive cyber security awareness training and educate them about various kinds of cyber threats. This tool not only assesses your organization’s real-time threat posture but also significantly helps in eliminating any human error.
- Instruct your employees to never click on any suspicious links embedded in a text message. If the message says that there is an issue with any of your accounts or services, just go to the main site’s domain to verify the information instead of clicking on the link.
- Warn your employees not to send sensitive information in response to any strange texts, even if the person texting them claims to be a legitimate business or someone they know. It is prudent to contact that business or person directly to prevent an impersonator from tricking you.
- Ask your employees to avoid downloading and installing any software sent to them via a text message.
- Tell your employees to immediately change their password in case they give up their credentials or other sensitive information. Also, prompt them to change their passwords everywhere if they use the same password across multiple platforms.
Keep an eye out for these ever-evolving smishing campaigns to protect yourselves and your organization. Try to follow these cyber security measures to minimize the risk of being compromised.
