Small businesses, organizations, and consumers are experiencing a growing risk from a form of
cyberattack known as “smishing.” This method uses SMS/text messaging to prey on unsuspecting users
employing many of the same techniques that phishing uses through email systems. This type of hacking
poses an increasing threat to businesses and organizations as greater numbers of employees use phones
and other personal devices to access business systems and data.

Much like a phishing attack, these text messages often appear to be from legitimate organizations such
as utility companies, delivery services, government agencies, or medical services such as contact tracing.
The messages often include links that download malware or attempt to collect personal and private
information.

SMS is becoming a more attractive option for hackers for several reasons. For one, open rates for SMS
messages average 98% as opposed to emails which average around 20%. Since up to 90% of emails can
be spam as compared to 1% of text messages, hackers use the higher rates of trust and engagement to
their advantage. The small screen, reduced amount of text, and lack of hover features make links more
difficult to verify before clicking.

Since smishing takes place outside of the systems and processes that are normally protected by a robust
information security program, risk mitigation in this area can be challenging. The most important tool in
fighting these attacks is education and awareness. Training can help employees to recognize smishing
messages and avoid common strategies that hackers use to lure victims into clicking on links or replying
to texts. Policies that define how personal devices can be used in work-related scenarios and effective
access control are also necessary. In a worst-case scenario where a cybercriminal manages to capture a
user name and password, two-factor authentication offers an additional degree of protection.

If your company or organization routinely sends out SMS/text messages, it is also important to consider
how your policies surrounding this form of communication affect your clients. In order to help
customers to recognize legitimate messages from you, use one consistent Sender ID rather than a
numeric number. It is a good idea to avoid using web links in your messages, but if you must, using the
complete URL, rather than a shortened version, helps in verifying the legitimacy of the link.

Asteros Cybersecurity Services provides employee training programs that can help your business or
organization to avoid these pitfalls. To get started, check out our free, no-strings-attached Attack
Surface Audit.