Text-based 'smishing' attacks are ramping up

Wireless providers, security experts, and regulators ranging from the Federal Trade Commission to various state agencies have been warning anyone who will listen that spam is out of control—not that it should come as much of a surprise to anyone with a cell phone. Alongside the rise in regular phishing attempts via phone and email, the coronavirus pandemic and its attendant mass switch to remote work have resulted in an explosion of SMS-based scams known by the irritating moniker “smishing.”

Some quick stats:

• Data from anti-spam firm Teltech shows 11.6 billion scam texts were sent over US wireless networks in March 2022, an increase of 30% from the month prior.
• According to Robokiller, the average US mobile customer got 42 scam texts in March.
• Instances of text-message fraudreported by consumers to the FTC rose from roughly 335,000 to 370,000 from 2020 to 2021, with reported losses rising from $86 million to $131 million.
• The median amount reported lost to any given SMS-based scam rose from $800 to $900 year over year during the same time period.

Smishing is hardly new, but more sophisticated variants, such as the boss text scam—in which attackers spoof a manager’s number to trick a subordinate into purchasing gift cards or transferring cash—are increasingly a security concern for organizations. Targeting employees on their personal devices helps bypass whatever security protections might be in place on employer-run systems.

In another bizarre escalation of smishing techniques, Verizon customers recently reported receiving scam texts sent from their own numbers (the service provider blamed “bad actors”).

Tough times, easy money

According to Mark Lanterman, the chief technology officer of Computer Forensic Services, smishing attacks tend to be simple and profitable because targets often don’t bother to take basic precautions.

“One reason why we’re seeing the rise in this type of attack is because it's effective,” Mark Lanterman told IT Brew. “And it makes these attackers a lot of money.

“Secondly, I think that we, as consumers, have become a little complacent…We think it’ll never happen to us, and then when it does, we’re, you know, we’re outraged, even though we didn’t bother to follow even the simplest security precautions,” Lanterman said.

Independent security researcher Darren Martyn wrote in an email to IT Brew that smishing is now “a lot easier to pull off than email-based phishing,” where providers can offer anti-spoofing protections such as Sender Policy Framework, DomainKeys Identified Mail, and Domain Message Authentication Reporting & Conformance. Meanwhile, bulk SMS is cheap and does not really have any built-in mechanisms to verify the authenticity of the sender.

“Mobile carriers also generally don’t do any real spam filtering or anything on SMS, so you are virtually guaranteed delivery,” Martyn wrote. Smishers using spoofed numbers have several other advantages, Martyn said, including that bogus messages are appended to the end of pre-existing chat threads and the ubiquity of shortened URLs on mobile devices.

“People get used to clicking shit they get in texts,” Martyn wrote. He cautioned, it is relatively simple for attackers to gather the information they need to pull off targeted scams like fake boss texts. Leaked or scraped databases, including marketing and sales lead databases, LinkedIn profiles, and corporate directories, are often “already collated nicely” and can help map out organizational charts that show which staff report to which managers. Collecting the data and linking it together is “not particularly hard to automate,” Martyn added, such as with with the aid of software tools originally designed for market research.

“Some attackers are going full automated, kind of shotgun approach to this, while others are doing more manual, hands-on, targeted scamming,” Martyn wrote. “Much like with email scams targeting businesses with false invoices.”

According to Martyn, some of the largest smishing cash grabs he’s witnessed have been social-engineering scams targeting cryptocurrency investors. While the rest tend to be “wide net” operations intending to pocket “relatively small amounts of money or data from lots of people,” higher-tier threats “absolutely” use smishing to target organizations, he added.

Lanterman said that while SMS alone rarely results in tremendous scores for cybercriminals, multi-vector attacks such as utilizing fake emails in conjunction with the texts have been disastrous. In one 2016 incident, an accounts-payable coordinator at Maple Grove, Minnesota-based Upsher-Smith Laboratories wired over $50 million to scammers posing as the company’s CEO, triggering an unpleasant series of legal battles.

How to not get smished

Lanterman and Martyn agreed that there are two main steps organizations can take to protect themselves from SMS attacks. First, they need to minimize their exposure to insecure employee cell phones by using employer-provided devices.

“It is an initial up-front cost, but the separation between work [devices] and personal [devices] makes security a lot easier to balance with privacy,” Martyn wrote.

Second, organizations should take the initiative to give their workforces training on basic security practices, such as how to recognize a scam text. For example, Lanterman emphasized the power of simply verifying a text comes from the listed sender.

“The takeaway is, don’t trust instructions that you receive in an email or in a text message,” Lanterman told Morning Brew. “If you’ve asked for anything of value, like money or confidential information, pick up the phone and confirm that.”

The situation is hardly “hopeless,” Lanterman added. “We’ve seen a lot of success coming from the well thought-out training programs. I think the best security dollar that an organization can spend is on training and just [making] their employees aware.”

“It’s easier to hack a person than it is to hack the technology,” Lanterman said. “I hate to quote that corny TV show, but we are the weakest link. And I think if organizations take a fraction of their IT security budget and rededicate that to educating their employees, letting them know what to look for, and most importantly, what do you do if you see it,” he said. “I think it’s important for all of us to remember is, whenever we gain a benefit, or convenience, from technology, we give up an equal or greater amount of security.”—TM