When it comes to MSPs, there is one set of letters that causes indigestion: ‘-ishing.’ Phishing is the biggest headache, of course. Successful phishing expeditions have led to many network breaches in businesses large and small.

Recently on Smarter MSP, we talked about vishing, and its inherent dangers. This week, we discuss another ’-ish’: smishing.

What is smishing?

Smishing is essentially a trick text that leans heavily on social engineering to get someone to cough up personal information, so a bad actor can use it for nefarious purposes.

I’ve been unsuccessfully smished. Recently, I received a text that purported to be from my wireless carrier saying, “Our security department has detected unusual activity on your account. For security purposes, please click the link below and update your profile.” I knew that the text was ridiculous and, with some quick sleuthing, I discovered it was a poorly concealed attempt to bait me.

I employed the best weapon against a smish: ignoring it. These “-ishings” are only effective if someone unwittingly follows-through.

Hackers were hoping for some smishing follow-through when they targeted customers of Peoria Illinois’s Citizens Equity First Credit Union. In that case, credit union members were targeted by a smishing/vishing hybrid scheme.

MSPs should take a holistic approach to cybersecurity by being aware of threats, wherever they may emerge. Norton warns, “Smishing is becoming an emerging and growing threat in the world of online security.”

Can smishing’s impact go beyond a mobile device?

Smishing is only a threat to a person’s bank account or mobile device, right? That’s not entirely true; the threat is growing and evolving. Smishing isn’t completely harmless when it comes to network threats.

Let’s say I had clicked on the purported link from my carrier? I’m sure there would have been some bogus form where I’d be prompted to type in my social security number or give them my pin to something. In that case, the threat remains outside the network. If you start handing out PINs or other IDs, then smishing can be like handing off the keys to the castle.

As people blend more work functions together (remember the good old days of the Blackberry, where you had a work/personal wall?), the danger increases.  Smishing can serve as a battering ram into the network. MSPs need to be on guard and continually help clients update BYOD policies.

It’s surprisingly hard to find smishing experts because the threat is relatively nascent. Still, after my smish, I reached out to Bren Doreck, a cybersecurity specialist in Dallas.

“In theory, if a phone user clicked on a link in an SMS message and an app was installed and had a command and control (or other nefarious function) if a user connected to a network, that would be one way to enter a corporate network. It could potentially just deposit an infected file for someone to find,” states Doreck. To protect against such intrusions, Doreck recommends the deployment of an MDM solution or maintain a separate network for non-managed devices.

Familiarity breeds complacency

Here’s the real danger posed by smishing: People have largely grown wary of phone calls, in favor of texting. When was the last time you’ve made a business call, and someone picked up the phone? Texting has become the norm and, along with it, a sense of comfort. People aren’t used to being tricked by a text.

A text is usually a legitimate business or from a cybersecurity standpoint, worse: messages from family and friends. Messages that are used in such familiar, innocuous everyday settings like: “Could you please text me a grocery list, so I can swing by the supermarket after work.” Such innocuous, innocent exchanges cast a veneer of familiarity over the entire act of texting. Hackers know that and use smishing to tap into the reservoir of goodwill people have towards text messages.

“Smishing  is growing because of how much we are on our phones. It is an instant grab of attention that reaches people now, whereas some people don’t check email for days, or the email goes to spam,” notes Doreck, while also reporting that email providers and other products are getting better and better at flagging spam.

“Also, many people assume that the carrier protects them or there is some thought that ‘they contacted me at my phone number, it is ok’,” observes Doreck.

Other steps that MSPs can take to combat smishing besides an MDM is simply raising awareness.

“I would want to change the awareness level of users through training and reminders,” admits Doreck. Smishing’s threat will grow if it’s successful from the hacker’s perspective.

“If whatever the behavior the text is trying to solicit has successful results, and the objective is attainable, then it will get worse,” predicts Doreck.

Photo: Epic Stock Media / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *