When we described Social Engineering Attacks, we talked about phishing (cyber attacks carried out using email). Phishing is all about convincing you to act immediately by clicking on a link, or opening an attached document, and results in a hacker getting access to your sensitive business or personal information.
If you follow the few simple rules we laid out for detecting phishing e-mails, you will get good at stopping phishing attacks really quickly.
Unfortunately, just about any form of electronic communication can be used for Social Engineering Attacks. With the rise of instant messaging as a viable business communication tool (think Slack), you need to know about phishing's first cousin:
- Smishing: a social engineering attack carried out using instant messaging (like SMS, Slack, Skype, WhatsApp, iMessage, etc.).
Much like phishing, the whole point of smishing is to get you to click on an embedded link without thinking. This is usually accomplished by sending you a message that will make you worried (your bank is about to suspend your account or cancel your credit card) or excited (you just won a lottery you’ve never heard of).
THE SMISHING IS FINE, CLICK ON IN
With smishing, an attacker wants you to click on a link included in the message to download mobile malware, visit a malicious website, or call a fraudulent phone number. Since most of us now do a lot of our banking on our Smartphones via apps, with confirmations and activity notifications arriving by SMS, a lot of smishing tends to focus on pretending to be from your bank or credit card company. Here are some examples of real smishing attacks with the bank names replaced with the word bankname:
- "ALERT! Your account has been locked due to suspicious activity. Verify your account credentials to unlock your account at: http://verify-bankname-account.com"
- "This is a warning that your last credit card payment was missed. Login to verify your payment details and avoid penalties: http://credit. bankname-card.payment.com"
- "Bankname account suspension notice. Update your registration to avoid overdraft charges. Call (xxx) xxx-xxxx"
- "Update your banking app now to better protect yourself. Download the latest version at http://update-bankname-verify.com/app4485"
And, of course, none of those URLs belonged to a bank. They pointed to malicious web sites.
SMISHING? NO THANKS, I'LL TAKE A PASS
The rules that allow you to avoid most smishing attacks are easy to remember:
- If an instant message urges you to respond immediately or act quickly, STOP and think for a moment. Demanding action is what social engineering attacks are all about.
- Do not click on links in instant messages – even if the message appears to come from someone you know. Hackers can send smishing messages that appear to be any number they wish.
And whenever you get instant messages about your bank accounts, credit cards, etc.:
- Do your research and verify the instant message is legit. If a financial institution is threatening to cancel your card immediately, don't click on the link or call the number embedded in the message. Call the real customer service number on the back of your credit card or bank card and talk to a customer representative about it.
- Likewise, if you receive an instant message that seems to be from a government agency, or a company you do business with, look up the official contact number for the entity and call them to verify you received a legitimate request you need to act on. Most organizations will tell you "we will never send requests like that via instant message."
- Never reply to instant messages that request sensitive business or personal information from you. Again, we don’t know of any legitimate business or government agency that will ask for your sensitive info via instant message.
Following these guidelines will help mitigate your risks against smishing. However, as more businesses adopt instant messaging as a preferred method of communication, the intensity of smishing attacks is guaranteed to increase.
Contact firstname.lastname@example.org for more information on how to better protect your business against smishing and other types of social engineering attacks.