The top tips for protecting yourself against rising SMS phishing tactics

In this article, Will Evans, Director at Performance Networks, outlines the top tips for protecting yourself against rising SMS phishing tactics.

Without totally neglecting technology and going off-grid to live like a hermit, being subject to some form of phishing or smishing attack is now unavoidable.

Its prevalence has continued to grow. A report released towards the end of 2021 showed that 73% of the UK’s companies suffered data breaches that stemmed from phishing within the past year – a quite startling statistic.

What started with basic cold calling methods has developed as the importance of email has grown. The fact we operate within a digital world means opportunist scammers and criminals are constantly developing new and innovative methods to extract our key, all while holding the upper hand against those fighting against it. No sooner has one tactic been dealt with has another cropped up.

SMS phishing – or rather smishing – is one of those newer approaches individuals and businesses need to be wary of. During the first six months of 2021, smishing reports grew by 700%, compared to the second half of 2020.

The fact is, no matter the size of the name or brand, nobody is safe, as was highlighted by the attack that Royal Mail endured in March 2021.

We will go into that in more detail in this article, while we will also review the steps that anyone can take to better protect themselves from SMS phishing attacks moving forward.

Royal Mail case study: the simple, yet convincing, text that scammed millions

Due to the COVID-19 pandemic, online orders have boomed. The latest data from Statista shows that there were approximately 4.2 billion parcels sent in the UK during 2021 – 1.5 billion more than what was sent two years earlier in 2019.

And because of that, scammers decided to chance their arm with a simple redelivery approach that utilised an 18-word text and one link to a spoof, yet convincing, website that duped customers to hand over their credit and debit card details to finalise their order.

As a result, people saw their bank accounts emptied.

This is a high-profile example. Delivery businesses have been high-profile targets for these types of scams for years now, but they are not the only target. In fact, the latest data shows that 81% of organisations around the world have experienced an increased amount of phishing attacks since March 2020, coinciding with the start of the COVID-19 pandemic.

Why were so many caught out by this? The first reason is that smishing is relatively new and unheard of compared to email. The second reason is that very few people have internet protection on their mobile phones, leaving the devices that occupy our lives the most exposed to attacks.

SMS threats will continue to rise for a simple reason… because it is easy to do.

There are well-known and published lists of number ranges that a hacker can go through. There’s no protection against that, or from someone just guessing a phone number.

Mobile Networks have number ranges and, from there, a hacker can just make their way up the list. It’s an easy tactic and doesn’t take a lot of effort, especially when the message being pumped out has the potential to resonate with anyone, like the Royal Mail example.

Despite its prevalence, there’s not enough being done to educate employees within businesses

Right now, smishing is much more a consumer issue than it is a business one. However, it is fully expected that will change in the future.

When we’re talking about protection, the first place to start is education.

Despite how prominent phishing and smishing are, the latest data shows that only one in five businesses deliver phishing training to their employees once per year. A 2020 poll also suggested the following were the top reasons why an employer got sucked into a phishing attempt:

• ‘I was distracted’
• ‘The comms looked legitimate’
• ‘The comms was supposedly from a senior executive at my organisation’
• ‘The comms was supposedly from a respected brand’

The advancements in technology mean phishing can be made to look almost authentic and while we will review some of the best forms of protection out there right now, awareness and knowing what to look out for when it comes to phishing and smishing activity is key.

Identification is at the core of that. Being able to identify what is real and what isn’t. Is the website you’re clicking through to Royal Mail or is it, in fact, just a lookalike designed to snare your details. The sender is a key giveaway as well. When you tap on the contact, is it your colleague’s email or one you’ve never seen before.

With smishing text messages, that distinction is harder to make. Typically, you’ll get a link and it could be shortened to disguise where it is going. The best advice we can give is to think about the context those messages have come in and act accordingly.

Finally, rather than breathing a sigh of relief and moving on after swerving a phishing attempt, it’s important to report them. The best location to do so is via the National Cyber Security Centre website.

The Government operates a 7726 text service that enables people to report spam texts for free, while Which? launched its own scam reporter tool in March.

Internet security protection on your mobile phone is the single-best protection against smishing

Most people are used to receiving a phishing attempt either via email or a cold call – most of us have, undoubtedly, experienced one or the other – but not many expect it via SMS.

When you receive a cold call from someone, the best protection is awareness to recognise what the call is and to be able to end it before any details are exchanged, or they have gained access to your computer.

When it comes to SMS, the single-best protection is by having internet security on your phone. Small disclaimer: that internet security won’t pick up everything, but it is a vital layer.

The first place to start is with mobile security apps. They are, somewhat, effective on mobile phones, less so on iOS because of how Apple’s operating system is set up. There are anti-virus apps that sit in the background and monitor your internet activity.

That sounds scarier than what it actually is – considering how the importance of privacy has grown recently. However, all it does is check the reputation of the links you’re clicking on or DNS requests that you’re making and will flag whether something looks suspicious. Lookout is a good example of that software. Bitdefender has an app, too.

Good account hygiene, like two-factor authentication, is a big part of that. For businesses, they can have a centrally-managed two-factor authentication. We do something called Duo, which is a great tool for managing 2FA across your business and keeping it streamlined.

Make sure you don’t fall foul to the growing threat

While it doesn’t have the same ring to it as phishing, smishing is a very real threat, one that the majority of the world is exposed to in the modern world.

If you have a way that you can be contacted, then you’re at risk. It’s as simple as that. Without taking yourself off the grid, there is no way of taking yourself out of the loop and being targeted.

While SMS is growing, we can’t discount email. We live in a world where scammers and criminals are using several different tactics depending on the data they’re trying to get, a blend of both SMS and email in a frighteningly convincing way.

As a user, we’re required to have a multi-layered security approach – one that incorporates up-to-date education but also investment in software across our digital devices to ensure you, your business, or your staff, don’t fall foul of these tactics.

Click for more articles from Cyber Security Month by Dragos