Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
With the increase in remote work, more attacks are occurring through mobile phones and SMS or texting (aka “smishing” attacks). As a result, security teams must consider the need to train and exercise employees on how to recognize a smish
and report it appropriately. This piece details best practices on building an effective smishing program.
Mobile devices now account for more than 60% of digital fraud, and a common method that mobile phones are used in attacks is via smishing. Even the IRS has flagged the increase in
smishing attacks on taxpayers. Cybersecurity programs must train and exercise their employees on how to recognize,
defend against and report smishing attempts.
READ: How to Prevent and Mitigate Social Engineering Attacks
All organizations considering smishing campaigns must take the proper steps to ensure they have signoff from internal stakeholders, such as human resources, legal and compliance. There are several reasons why internal smishing campaigns can be risky,
These issues and others must be considered upfront and all stakeholders must agree on the need for and method and scale of the smishing program beforehand.
Security awareness training on smishing must instruct employees to be wary of unsolicited requests for information sent by text. Be sure to educate on the typical hallmarks of smishing
schemes, such as a sense of urgency or a call for immediate action. Caution employees to never tap links in an unexpected text message.
Employees should also be trained to contact the company or person associated with a suspicious text request through a separate method, such as a previously verified phone number, email or corporate messaging system, rather than simply replying to the
text. A common scheme adversaries use is to convince employees to buy gift cards and send the card numbers back to the attacker via text. Remind employees (and executives) that requests for official work or favors, such as buying gift cards, should
never be sent through text.
It's also important to codify your rules around the use of SMS for work in policy and be sure to train employees on the policy.
Organizations should also have a documented way for employees to report smishing that is similar to how they report other types of security violations. It could even be beneficial for the company to have an email address or phone number where suspected
smishes can be forwarded. Whatever the process, it must be a part of the training and/or simulation that is offered as well.
Additionally, in the U.S and U.K., employees can forward the smishing text to 7726. This free-of-charge short code is designed for spam reporting,
but it also enables your SMS service provider to investigate and block potentially malicious SMS messages.
There are times when simulation and training are not enough, and users need to be tested in real-world environments. In these cases, smishing can be performed either externally or internally.
Some penetration testing and phishing companies offer a smishing service and charge based on the number of employees smished. The advantage is the campaign itself is no work for your internal cyber team, but there are disadvantages. Depending on your
contract and budget, this could be simply a one-time campaign hitting just a small percentage of your employees. Regular external smishing campaigns that cover a large percentage of your employees can get very costly.
With so few external organizations actually offering smishing capabilities, many organizations look to internal solutions. However, creating and deploying a manual campaign would be very time-and resource-intensive and is likely not going to yield the
return on investment desired.
Despite the growing number of smishing attacks, there are not many options for running smishing campaigns at scale. For example, penetration testers or phishing companies will run a smishing campaign to a targeted set of users, but those options can get
very expensive when the program is extended to the entire organization. To ensure your smishing program is scalable and cost-effective:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.