Last Friday I tweeted about a family member receiving a SMS phish. SMS phishing (also known as smishing) is very similar to email phishing and the first known case was in 2008. Instead of the phishing attacks going to your email address, they’re sent to your mobile device as a text message and we also see similar attacks using messaging apps such as WhatsApp.
The SMS phish in this case appeared to come from 'HMRC' (Her Majesty's Revenue and Customs is a non-ministerial department of the UK Government responsible for the collection of taxes). The text message was:
The recipient was obviously over the moon to receive a text message stating they were getting a tax refund from HMRC. I must point out that this individual is well aware of the dangers around email phishing, but due to this being a text message they’d believed it to be genuine. They hadn’t recognised the tell tail signs of a phish! In this case: reinforcing they’re going to a secure link, acting as an authoritative figure (HMRC), playing on the fact we’ve just started 2020 and using an exciting and enticing hook (who can resist free money?).
As a result, I wanted to take a moment to think about whether SMS phishing is on the rise. There are two angles that I’m going to consider as the cause of an increase: an increased awareness of email phishing attacks and an increase in investment in sophisticated email phishing detection and blocking capabilities.
Phishing emails have been front and centre as a security awareness theme for many years now, with most large organisations running phishing campaigns, pushing out communications and training highlighting how to detect phishing emails. But due to this focused education on phishing emails alone, many people are totally unaware that SMS phishing exists. Several of our clients have stated they seem to be seeing more SMS phishes, with some pretty convincing Whatsapp ones, too! WhatsApp has been used for other attack vectors, such as the alleged hacking of Amazon CEO Jeff Bezos via a WhatsApp vulnerability that appeared in the news today. The vulnerability was patched last year but it shows that even the technically savvy can be attacked.
It is important for people to understand that phishing - whether its email, SMS, voice, letter etc - is a form of social engineering and that social engineering can occur through any form of communication.
Another contributing factor that may have caused a rise in SMS phishing is that email service providers, and organisations, have invested a huge amount of time and money into detection and blocking capabilities for phishing emails. As a result, cyber criminals have shifted to a communication method that we aren’t as educated or protection on. Mobile devices do not yet have the same level of protection and therefore, most SMS phishes will come through. It’s then up to you to detect them! This gives the criminals greater scope for what the SMS phish contains and the level of complexity.
It is also worth considering that a mobile number is much easier to brute force than an email address. In the UK’s case you could type any random 11 digit number (starting with 07) and it’s likely it would be received. Cyber criminals are no longer having to go to the trouble of harvesting or purchasing emails to target, they can quite literally just make them up.
The reason I question whether it is on the rise is because it is tricky to quantify and compare the number of SMS phishes to phishing emails. When it comes to phishing emails most organisations have robust processes and technology solutions in place for reporting and as a result have fairly accurate statistics. However, who do people report SMS messages to, is anyone tracking them? Does your organisation run SMS phishing campaigns and collect data on SMS phishes?
Some of our top tips for detecting SMS phishing attacks are:
Legitimate organisations will not send you a text message asking you to share personal or financial information
Do not post your mobile number on social media and avoid giving it out when it’s not required
If you’re contacted by your bank or a body like HMRC, always call them directly on a number you trust (for example the number on the back of your bank card)
If you receive a communication that you’re not expecting (whether by email, phone call, SMS message or any other way) that is asking you to do something and makes you feel emotional (happy, panicked, embarrassed or anything else), be aware this could be social engineering
Avoid clicking links you’re unsure of (clicking the link could infect your device with malware) but instead go directly to the source; in the example above, I told my family member to go to the HMRC website rather than click the link