SMShing: How to protect your business against this rising cybercrime

Mock SMS cybercrime

Hackers are exploiting human nature and the popularity of SMS to scam smartphone users, and this type of cybercrime poses dire consequences for your business’s brand - and bottom line.

In January 2019, the National Student Financial Aid Scheme (NSFAS) revealed criminals were using SMS messages to target students. In a statement, NSFAS said perpetrators were posing as NSFAS representatives, sending emails and SMS messages asking students to update their account information.

To combat the crime, the organization would no longer communicate with students via SMS. NSFAS reported a surge in attacks, and this hike mirrors global online security trends.

With the rise of smartphones, fraud analysts warn of an increase in SMS phishing - or SMShing. The rate of successful mobile fraud - where the victim has clicked on a phishing link - has grown by 85% between 2011 and 2018. Mobile messaging fraud costs enterprises $2 billion per year, and in some regions about 20% of SMS traffic is fraud-related.

So, what is SMS phishing and how can you protect your business and your subscribers against this form of cybercrime?

First coined by David Rayhawk in a McAfee Avert Labs blog post in 2006, SMS phishing takes various forms, with one goal: stealing from the recipient.

Here are some of the most common attacks:

One type of SMS phishing asks a user to click a trojan link, leading to the installation of mobile malware that infects the user's phone.

In another, users are asked to update account information and are taken to a login page that looks like it’s the user’s bank or a government agency. These messages will often be urgent, demanding the victim take action immediately to avoid losing access. When the login details are entered, the scammer has access to the account or the user’s personal details.

So, what makes SMS such a popular channel for cybercriminals?

There are 2.5 billion smartphone users, and text is the most used feature. Delivery is guaranteed and open rates exceed email by close to 80%.

These are just some of the features that make it an ideal channel to engage in meaningful communication with subscribers and staff. But one should not be complacent about the possibility of scammers taking advantage of the same channel.

Protecting your business against phishing

Make sure you are aware of the latest SMS phishing attempts and share relevant online security updates with customers and staff. Inform subscribers about your SMS policy. For instance, if you’re a financial organization, let your customers know you will never send an SMS requesting their pin codes or sensitive account information.

Educate staff about cybercrime and online security. In the BYOD (bring your own device) era, staff members access private organizational data from their smartphones, leaving company systems vulnerable to data theft and malware.

Once a hacker has gained access, they can wreak havoc on corporate networks. This can devastate your business. Over 70% of customers would reconsider using a company if they suffered a breach, and 50% would switch companies, according to a Deloitte Consumer Review.

All staff should install antivirus software, and there are also programs that will stage mock SMS phishing scams. As part of these simulated attacks, users are called and counseled on their behavior if they click on the “malicious” links in the text.

To learn more about how you can combat cybercrime, read our recent article on how to respond to the skills shortages affecting the cybersecurity industry.