SMShing: How to protect your business against this rising cybercrime
Mock SMS cybercrime
Hackers are exploiting human nature and the popularity of SMS to scam smartphone users, and this type of cybercrime poses dire consequences for your business’s brand – and bottom line.
In January 2019, the National Student Financial Aid Scheme (NSFAS) revealed criminals were using SMS messages to target students. In a statement, NSFAS said perpetrators were posing as NSFAS representatives, sending emails and SMS messages asking students to update their account information.
To combat the crime, the organization would no longer communicate with students via SMS. NSFAS reported a surge in attacks, and this hike mirrors global online security trends.
So, what is SMS phishing and how can you protect your business and your subscribers against this form of cybercrime?
First coined by David Rayhawk in a McAfee Avert Labs blog post in 2006, SMS phishing takes various forms, with one goal: stealing from the recipient.
Here are some of the most common attacks:
One type of SMS phishing asks a user to click a trojan link, leading to the installation of mobile malware that infects the user’s phone.
In another, users are asked to update account information and are taken to a login page that looks like it’s the user’s bank or a government agency. These messages will often be urgent, demanding the victim take action immediately to avoid losing access. When the login details are entered, the scammer has access to the account or the user’s personal details.
So, what makes SMS such a popular channel for cybercriminals?
These are just some of the features that make it an ideal channel to engage in meaningful communication with subscribers and staff. But one should not be complacent about the possibility of scammers taking advantage of the same channel.
Protecting your business against phishing
Make sure you are aware of the latest SMS phishing attempts and share relevant online security updates with customers and staff. Inform subscribers about your SMS policy. For instance, if you’re a financial organization, let your customers know you will never send an SMS requesting their pin codes or sensitive account information.
Educate staff about cybercrime and online security. In the BYOD (bring your own device) era, staff members access private organizational data from their smartphones, leaving company systems vulnerable to data theft and malware.
All staff should install antivirus software, and there are also programs that will stage mock SMS phishing scams. As part of these simulated attacks, users are called and counseled on their behavior if they click on the “malicious” links in the text.