Smishing is quickly becoming a major issue for devices and without an awareness of their danger, these attacks can be devastating for businesses. Compromised personal mobile devices aren’t just a personal risk issue. They can have a massive impact on a business’s operations. In 2022, 130 organizations were compromised because of a single smishing campaign; and, in 2023, 75% of organizations experienced a smishing attack.
Unfortunately, smishing attacks are becoming more and more successful. Users are six to ten times more likely to fall for smishing than for email-based attacks, yet less than 35% of the population knows what smishing is, making it a more attractive attack to threat actors.
Here’s what organizations need to know about smishing attacks.
Smishing is the SMS counterpart to phishing. Fraudsters send fraudulent text messages, often with a link inside, to try to solicit action from a user. The action might be to type credentials into a phishing website or to make a payment for fake invoices.
Examples of common smishing attacks include:
Smishing attacks often use a sense of urgency to elicit actions, or they may use personal information from another breach to add more authenticity to their assault. For example, if a number is associated with a particular bank or service, they might send messages claiming to come from that bank or service.
Regardless of the type of attack, this can lead to an employer-owned device being compromised, details of company accounts being leaked, or funds being diverted from an organization into the pockets of these scammers.
Smishing attacks typically direct users to a website that carries out one or both of the following actions:
While those scams are bad enough, many other mobile-focused attacks use smishing as a primary vector. For example, a successful smishing attack can lead victims to download malicious apps or more dangerous software. In one such instance, the notorious Pegasus spyware, that targeted the mobile phones of journalists and politicians, used text messaging and other mobile-specific methods to deliver the payload.
Pegasus’s purpose is to monitor all forms of communications on a mobile device which can result in credential harvesting and other sensitive information being exposed.
“Zero-click” attacks can also use smishing to install spyware or other vulnerability exploits. These kinds of attacks don’t require any interaction from the user. One common method to deliver the payload is through a WhatsApp missed call which triggers a vulnerability that then installs the malicious software.
Even mobile apps known for their privacy can be exploited. For instance, WhatsApp has multiple zero-click vulnerabilities, such as the recent Graphite malware attack disclosed by Meta that could be launched via a malicious message. All users had to do was join a specific WhatsApp group and receive a malicious PDF or image inside that group. The user didn’t have to interact with the malicious attachment for the malware to install itself.
These kinds of attacks are usually highly targeted and specialized. CEOs and high-profile business executives are often key targets for sophisticated campaigns of this kind because of the high amount of sensitive data that can be harvested.
In many cases, stolen credentials are no longer enough for hackers to access your account. They also need the verification code that’s sent to your device, usually as a text message.
In some cases, companies do away with passwords altogether and use one-time passwords (OTPs) which follow the same method: You type your username into a website and then receive a code (OTP), either as an SMS or as an email. You then type this OTP into the site and it logs you in.
Hackers have developed OTP bots to intercept these messages. The bot automates the interaction between you and the fraudulent website. Using Facebook as an example, it works like this:
The bot might even use a VPN to approximate the user’s real location because Facebook would typically send a message saying “We detected a login in from [location name]. Was this you?” By using an approximate location of the victim, hackers can make the attack more believable. For executives who are often running around, they may be too busy to think twice about what’s happening, potentially making these attacks more successful.
Smishing is evolving in two major ways: channels and sophistication.
As a mobile device attack, smishing has expanded to more than just text. Victims experience attacks via SMS, WhatsApp, Signal, social media apps, or any other mobile-specific app or service.
Dating apps are also a popular channel for mobile attacks, whether in the form of fake dating apps or as a means to send smishing-style messages to users. On dating apps alone, bot attacks increased by 2087% between January 2023 and January 2024.
The most likely folks falling prey to these attacks are people between the ages of 51 and 60.
Essentially, any app that facilitates in-app communication can be used as a smishing vehicle. Additionally, attackers looking to target individuals from specific organizations can seek them via those apps.
A new form of smishing is romance scams, including its more sinister subcategory of “pig butchering.”
Romance scams are any scam that extorts payment from a user through a romantic pretext. This can occur in many forms, such as:
The unflattering term “pig butchering” refers to a highly sophisticated, long-term attack where the hacker uses social engineering to “build a relationship” with the victim through text messages. The hacker will likely use AI-crafted text messages for additional believability, as well as AI-generated images.
While these attacks often happen on dating apps, it’s not exclusive to the platform. Hackers will sometimes use the tactic of sending an SMS or WhatsApp message purportedly intended for someone else, such as:
If someone responds in any way, the scammer usually apologizes and tries to continue the conversation. The victims believe they’re speaking with a genuine person. Once enough trust is earned, the attacker can either convince the victim to give them money, engage in gift card scams, or “invest” in crypto.
This type of scam works best if the hacker already has some personal information about the victim, which can be obtained through social media or other data breaches.
While smishing seems like a purely personal risk, the hazard can easily extend to organizations. Smishing can lead to device, business, and account compromises.
In highly targeted attacks, a hacker might send the victim to a portal, purportedly to log into a company network. However, even general attacks can result in organizational risk. Many employees reuse passwords which means that hackers can inadvertently strike gold and gain access to a victim’s business accounts by stealing his or her social media credentials.
BEC-style smishing attacks might be levied against someone who can release funds from a business. Romance scams and pig butchering like to target executives or high-profile politicians which can lead to important information being divulged.
So what is the solution to this growing problem? Mobile MDR—managed detection and response—is an essential service for businesses, offering the same first-class protection capabilities for mobile devices that have long been possible on desktop computers. Mobile MDR also does this without sacrificing user privacy.
SolCyber’s mobile MDR solution protects you from smishing and other zero-day threats on iOS and Android devices, offering 24/7 monitoring, cross-platform defense, and secure BYOD support.
Organizations must be prepared for the risks that mobile devices pose. Businesses should engage in the same cyber resiliency for these devices as they do with their own infrastructure.
To learn more about how SolCyber can help you with mobile protection CTA, check out our Mobile MDR services page.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
