Skip to main content

Smishing – what is it? And why should it be a top priority for CISOs?

email
(Image credit: Image source: Shutterstock/Bloomicon)

Anyone who uses a smartphone has likely been the target of at least one smishing attack.  Short for SMS phishing, smishing is an increasingly popular choice of attack vector, where the user is deceived into downloading virus or malware onto their mobile devices.   

Smishing as a form of attack is of particular concern as people are trusting and responsive to text messages rather than email. Only 1 in 4 emails are opened by consumers, whereas 82 percent of text messages are read within five minutes.  

Like phishing, smishing tries to trick users into giving up valuable information, such as bank login credentials, by convincing the recipient that the message has come from a trusted source. While these types of scams have been exploiting email accounts for decades, cybersecurity professionals should be worried about the dramatic rise in smishing attacks over the past couple of years. 

High alert 

Recently, a fraud alert was exposed involving fake texts from the NHS telling people they were eligible for their Covid-19 vaccination. This URL then took users to a convincing, yet false, NHS website that asked for personal details - unfortunately, these types of scams are exposed daily and are ever-increasing. 

Even before the era of Covid-19, approximately 81 percent of organizations said their employees had experienced a smishing attack on their mobile devices. In 2020, after intermittent lockdowns were put in place around the world, smishing attacks proliferated exponentially. One study found that between March and July 2020, these attacks increased by an alarming 29 percent. 

Why are people more vulnerable to smishing now?  

Although phishing attacks have been around forever, there are at least a few reasons why smishing is more worrisome for IT security today: 

It’s far easier to block email phishing on corporate-owned PCs, but today’s remote workers are now using their personal devices to access corporate apps and data. And frankly, there’s just no straightforward way to verify the authenticity of URLs on smartphones, so users often just click and hope for the best. 

As of 2020, 2.8 billion users around the world now carry smartphones. The devices are literally everywhere, providing a vast, exploitable threat landscape for hackers. 

We now use mobile devices far more. According to a survey conducted in February 2021, nearly half of the respondents stated that on average they spent five to six hours on their phone on a daily basis, not including work-related smartphone use. Additionally, we rely on them more for work. Seventy-two percent of employees agree that their mobile device has been important to ensuring their productivity during lockdown.  

Personal devices typically lack the robust security used to protect corporate devices. 

Let’s face it, all too often we’re just not paying attention. How many of us check our phones while doing other activities, such as shopping, eating, watching movies, or walking the dog? 

And guess what? Hackers know all of this, too. With just a little research and persistence, they can easily swindle an employee into revealing their corporate credentials. Once inside the company, hackers can quickly unleash a security nightmare for any IT organization. Remember the Twitter hack from last July? 

A hacker targeted a small number of employees through a smishing attack. The attacker used the credentials of one employee that fell for the ruse to access Twitter’s internal systems and gained information about their processes enabling them to target additional employees. They were able to infiltrate over 130 accounts in total. 

Since the new era of mass teleworking has demolished what was left of the traditional network perimeter, CISOs need new strategies for protecting corporate apps and data wherever they are, on any network, device, or cloud. The good news is, most CISOs seem to understand that protecting their organizations from mobile threats should be their biggest priority going forward. 

The CISO’s mobile security to-do list  

In December 2020, Ivanti, commissioned an independent research study to gain a better understanding of CISO priorities. It revealed that 87 percent of CISOs across EMEA said that securing mobile devices is now the focal point of their cybersecurity strategies. Nearly 80 percent of these CISOs know that passwords are no longer an effective or secure means of user authentication, and almost two-thirds (64 percent) believe investing in mobile threat-detection software will be a major priority in 2021. 

Passwords are still the leading cause of data breaches. According to Verizon’s 2020 Data Breach Investigation Report compromised passwords are responsible for 81 percent of all hacking-related data breaches. Additionally, patches are still leaving holes in business’ security. Recent research found missing operating system or application patches to be the cause of nearly 60 percent of breaches in the past two years. 

Simple but frequent practices like patch upgrades and password resets are only adding to the workloads of IT departments. To create a zero-trust environment, where a user has verified access only to the necessary corporate resources, and to reduce the burden IT teams face daily, both nuisances need to be confronted. 

The user experience is essential to mobile security  

Of course, no mobile-security approach can succeed if it doesn’t improve the user experience. That is even more important today with so many employees working remotely, perhaps on a permanent basis. 

Eliminating passwords in favor of multifactor authentication (MFA) is one of the easiest things CISOs can do now to help remote workforces stay productive while minimizing security threats. By requiring biometrics or other factors for authentication, IT can reduce the “phishability” of username and password login credentials, which are incredibly easy to steal through relatively simple means. Just as important, MFA dramatically improves the user experience by eliminating the need to type complex and easily forgotten passwords on small screens. 

Although simplified user authentication is a necessary step, automation for mobile security approaches is an essential part of any mobile security strategy. CISOs know they can’t just rely on fallible, distracted humans to thwart cybercriminal activity. 

A comprehensive and “always-on” mobile-security approach (available from most cybersecurity vendors) that can detect and prevent mobile threats without impacting employee access should be at the top of every CISO’s to-do list in the year ahead.

Nigel Seddon, Vice President of EMEA West, Ivanti