The National Cyber Security Centre (NCSC) has warned of the growing threat of smishing, the tactic of phishing via SMS and other messaging systems.
Smishing is a change in strategy for cyber criminals, as the general public becomes more aware of email phishing practices.
The phenomenon also reflects the growing number of mobile messaging platforms. The relative lack of protection in place on these platforms is providing cyber criminals with new opportunities to spread malware and commit fraud.
What is smishing?
In a smishing scam, an SMS message that appears to be from an official source will prompt a user to click a link which can download malware or redirect the victim to a malicious website. The intention is usually to steal credentials or other personal data.
While fraudulent links are typically caught by email anti-malware, most phones do not have such protection installed. This means that malware can launch and spread with relative ease.
And because SMS messaging feels like a more personal form of communication, many people will be caught unaware by smishing.
Not just SMS
While the NCSC has warned specifically about SMS messaging, the problem exists across a wide number of messaging platforms. There are various reports of scams being run via popular platforms such as WhatsApp and Snapchat.
Meanwhile cybercriminals are also known to clone Facebook accounts (including photos and personal details). They will then try to connect to contacts and run phishing campaigns via Facebook Messenger, pretending to be the person they’ve cloned. The process can take place at an alarming speed, and unless the user is wary it is easy to be caught unawares.
The dangers of smishing to business
The danger of smishing to businesses is that many staff connect to work systems and emails with their personal phones.
This means that if a phone is infected, malware can quickly spread not only to personal contacts but work contacts as well. This can cause reputational damage to a business, as well as create an IT security hassle both for the phone user and for the business.
How to defend against smishing
Awareness of smishing is the first step to protection. People are more likely to scrutinise links or downloads if they are aware they could contain a risk.
Individuals should look at installing an anti-virus solution for their phone. One solution is Sophos Mobile Security, a free anti-virus solution for Android and iOS that includes link blocking.
Most operating systems also offer some vulnerability protection. Keeping your phone up to date with the latest patches is therefore also a good idea.
For businesses looking to protect work devices, or ensure that any device accessing work systems has protection, Akita’s Mobile Device Management solution is available. This can be used to create an environment that contains all work apps and files, separate from a person’s personal apps and files.
Mobile Device Management can be used ensure that all work data is protected by password or biometric sign-in, as well as ensure that a mobile device has anti-virus and all the latest updates installed.
Should that person’s mobile device be compromised by malware, work data is protected in its own bubble. Should the mobile device be lost or stolen, all business data can be wiped from the phone remotely.
For more information about Mobile Device Management and defence from smishing, please get in touch.