Best Practices for Building a Smishing Program

June 6, 2023 | By IANS Faculty

With the increase in remote work, more attacks are occurring through mobile phones and SMS or texting (aka “smishing” attacks). As a result, security teams must consider the need to train and exercise employees on how to recognize a smish and report it appropriately. This piece details best practices on building an effective smishing program.

Mobile Devices and Smishing Attacks 

Mobile devices now account for more than 60% of digital fraud, and a common method that mobile phones are used in attacks is via smishing. Even the IRS has flagged the increase in smishing attacks on taxpayers. Cybersecurity programs must train and exercise their employees on how to recognize, defend against and report smishing attempts.

READ: How to Prevent and Mitigate Social Engineering Attacks

Get Internal Smishing Campaign Buy-In 

All organizations considering smishing campaigns must take the proper steps to ensure they have signoff from internal stakeholders, such as human resources, legal and compliance. There are several reasons why internal smishing campaigns can be risky, including:

  • Employees may lack training on smishing reporting and could report the smish attempt to outside authorities.
  • The smishing exercise may smish the wrong mobile number.
  • Employees may object to having smishes sent to personal devices, where fees and privacy regulations may apply. 

These issues and others must be considered upfront and all stakeholders must agree on the need for and method and scale of the smishing program beforehand.

Smishing Awareness Training 

Security awareness training on smishing must instruct employees to be wary of unsolicited requests for information sent by text. Be sure to educate on the typical hallmarks of smishing schemes, such as a sense of urgency or a call for immediate action. Caution employees to never tap links in an unexpected text message.

Employees should also be trained to contact the company or person associated with a suspicious text request through a separate method, such as a previously verified phone number, email or corporate messaging system, rather than simply replying to the text. A common scheme adversaries use is to convince employees to buy gift cards and send the card numbers back to the attacker via text. Remind employees (and executives) that requests for official work or favors, such as buying gift cards, should never be sent through text.

It's also important to codify your rules around the use of SMS for work in policy and be sure to train employees on the policy.

Reporting Smishing Internally 

Organizations should also have a documented way for employees to report smishing that is similar to how they report other types of security violations. It could even be beneficial for the company to have an email address or phone number where suspected smishes can be forwarded. Whatever the process, it must be a part of the training and/or simulation that is offered as well.

Additionally, in the U.S and U.K., employees can forward the smishing text to 7726. This free-of-charge short code is designed for spam reporting, but it also enables your SMS service provider to investigate and block potentially malicious SMS messages.

Employee Smishing Simulation Campaigns 

There are times when simulation and training are not enough, and users need to be tested in real-world environments. In these cases, smishing can be performed either externally or internally.

External Smishing Campaigns 

Some penetration testing and phishing companies offer a smishing service and charge based on the number of employees smished. The advantage is the campaign itself is no work for your internal cyber team, but there are disadvantages. Depending on your contract and budget, this could be simply a one-time campaign hitting just a small percentage of your employees. Regular external smishing campaigns that cover a large percentage of your employees can get very costly.

Internal Smishing Campaigns 

With so few external organizations actually offering smishing capabilities, many organizations look to internal solutions. However, creating and deploying a manual campaign would be very time-and resource-intensive and is likely not going to yield the return on investment desired.

Employee Smishing Campaign Considerations: 

  • Using a software engineering team (either existing or contracted) to develop an automated, orchestrated capability in-house: This is a nice solution because it can be tailored to your organization and, once it’s developed, it can be used over and over again across all employees at no additional cost.
  • Using an open source or commercial tool to run your own campaigns in an automated way: While not truly a completely internal solution, a tool like this enables security teams to run their own campaigns at a lower cost relative to a penetration testing team.

Employee Smishing Training Tips 

Despite the growing number of smishing attacks, there are not many options for running smishing campaigns at scale. For example, penetration testers or phishing companies will run a smishing campaign to a targeted set of users, but those options can get very expensive when the program is extended to the entire organization. To ensure your smishing program is scalable and cost-effective:

  • Train all users, including executives: Everyone sends text messages and no employee is immune from smishing scams. Executives especially should be included in training, because they are often spoofed in an effort to get their staffers to give up passwords or corporate credit card numbers.
  • Put a reporting mechanism in place: Ensuring employees know how to report a smish and making it easy to do so can help your security team respond more quickly and effectively.
  • Develop an internal solution using in-house developers or commercial tools: Going this route usually provides the best, most cost-effective results.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Access time-saving tools and helpful guides from our Faculty.

IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.