Smishing Attacks: Be Careful of What You Click On!
We now do banking transactions or order things online so often that every one of us receives a text message from a bank or a shipping company almost every day, notifying us of our banking transactions or parcel delivery details.
We receive such messages so often that sometimes even if we get a phishing text we might fail to recognize it or give enough attention to find anything wrong. The messages look so legitimate that you may even feel compelled to click on the embedded malicious links to find more. And that is when the problem arises.
According to a report from Security Boulevard, 84% of organizations reported smishing attacks in 2019 alone.
The threat of phishing texts or smishing attacks may now seem far-off to many. But with the evolution of newer and more sophisticated techniques, smishing attacks have risen in the last decade and are being quite frequently used by cyber criminals today.
Some Recent Reports on Smishing Attacks
The PayPal Smishing Campaign
According to a report, PayPal issued a warning that a smishing campaign is targeting its users globally. The report says that the campaign sends out phishing texts to its users, notifying them that their accounts have been permanently limited and services like sending, receiving, or withdrawing money have been restricted.
The texts prompt the users to click on the embedded link for resuming the services by verifying their accounts. When the users clicked on the link, they were redirected to a phishing website where they were asked to submit their credentials. Those who did submit their credentials were redirected to another phishing page that asked them to submit their personal information.
This information included the users’ name, address, date of birth, and bank account details. The malicious actors harvested this information to launch targeted spear-phishing attacks, conduct identity theft, or gain unauthorized access to other accounts.
The Allied Irish Bank (AIB) Smishing Campaign
According to a report published by The Nenagh Guardian, Garda Síochána urged Allied Irish Bank (AIB) account holders to be careful of ongoing smishing campaigns on witnessing a significant increase in smishing attacks. As per the report, the number of phishing texts being sent out to the bank’s customers surged by 132% during the first 20 days of January 2021 as compared to the same time last year.
Just like the PayPal Smishing campaign, the texts seem to come from AIB and prompt the users to click on the embedded malicious links. On clicking the link, users are encouraged to input codes from their card readers or share their OTP. Sometimes, the messages also claim that a fraudulent transaction has taken place from their bank account or notify the account holder of being locked out of their account.
Measures to Mitigate the Threat
Many people think that smishing attacks have completely vanished. However, this cannot be any further from the truth. It’s just that the attack vector has managed to stay under the radar for very long while targeting individuals and businesses whenever the opportunity arose. So, what measures can your organization implement in order to minimize the risk of smishing attacks?
Here are some simple but effective tips to help your organization keep the prevailing threat of smishing attacks at bay:
- Avoid clicking on links: Never click on the link embedded in a message if you are not sure of who is the sender. Also, avoid replying to unsolicited messages asking you for personal information.
- Confirm the sender: If you receive a message from an individual or a company associated with you or your organization, confirm the sender by making a phone call before responding to the text.
- Look out for scam messages: Be aware of messages that come from numbers that consist of only 5 digits. This can be a cyber criminals’ strategy to mask their identity and location so that it can’t be traced.
- Sense of urgency: Messages from threat actors always urge you to respond quickly and hastily without thinking. This can be a clear sign of smishing. Always take your time to make sure that you are receiving the messages from a legitimate individual or business before you respond.
- Educate the employees: Provide your employees with cyber security awareness training using tools like ThreatCop to make them aware of how various cyber threats look like and how to avoid them. ThreatCop simulates the most common cyber attacks, including smishing attacks, to train the employees on how to think and react when such attacks occur.
In addition, the tool also provides a detailed report to find out the most vulnerable insider threats by assigning an Employee Vulnerability Score (EVS) to each employee.