Request a demo

How to Prevent Smishing: 7 Best Practices

Learn how to prevent smishing with these 7 best practices. Your ultimate guide to how smishing works, what attacks look like and how to protect your business.

Hoxhunt
December 3, 2024
Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

What is smishing?

Smishing is a form of phishing where attackers send fraudulent SMS messages to trick users into revealing sensitive information.

This information could be things like personal details, passwords, or financial data.

Smishing attacks will often impersonate trusted organizations like banks, delivery services, or government agencies to make the message appear more convincing.

The end goal is usually to either steal data or install malware on a user's device.

Key smishing statistics to be aware of

  • Only 23% of users over 55 can correctly define smishing, while 34% of millennials know the term.
  • In one Lloyds TSB Study, only 18% of participants could correctly identify fake emails and texts.
  • 17% of enterprise users encountered phishing links on their mobile devices.
  • Smishing attacks surged 328% in 2020. In just one year, 76% of businesses were targeted by smishing attacks.
  • Only 32% of organizations offer smishing simulations.
  • Source: Keepnet

How does smishing work?

Attackers make initial contact via SMS

  • Smishing attacks start with an SMS message.
  • Attackers create messages that appear to come from trusted organizations.
  • These messages are generally designed to exploit trust and often create a sense of urgency.
  • Example message: “Your account is locked. Click this link to unlock it.”

Messages contain malicious links or requests

  • SMS messages sent by attackers typically contain a malicious link or ask the recipient to reply with personal information.
  • Clicking on the link usually leads to a fake website mimicking a legitimate service.
  • Victims are prompted to enter sensitive data, such as login credentials, banking information, or two-factor authentication codes.

Social engineering tactics are used to trick targets

  • Smishing relies heavily on social engineering techniques.
  • Attackers use psychological manipulation to pressure victims into taking action quickly.
  • The quicker someone acts, the less likely they are to scrutinize the suspicious message.
  • Messages often use fear or urgency to bypass typical cautionary steps.
  • Example: “If you don’t act in the next 24 hours, your account will be suspended.”

Gaining access or deploying malware

  • Stealing credentials: Threat actors gain unauthorized access to corporate systems or personal accounts.
  • Deploying malware: Malware can be installed on mobile devices, giving attackers control over the device and access to corporate emails or confidential data.
  • Exposing victims to other risks: Targets may also fall victim to network infiltration, intellectual property theft, or compromise of sensitive data.
How smishing works

Why are smishing attacks particularly effective?

  • People generally trust SMS messages: We tend to trust text messages more than emails. This means that we're less likely to be cautious about potential threats.
  • High open rates: SMS messages have a much higher open rate than emails. And the higher the number of employees seeing a message, the greater the chances of engagement with the malicious content.
  • Urgency and fear: Attackers often use urgency (e.g. "act now" messages) to create panic, pushing recipients to act without thinking critically. People are also less likely to check URLs when receiving a text message - wether this be due to screen size or the higher likelihood of them being out and about.
  • Bypassing security: Mobile devices often lack advanced security tools like anti-phishing filters, making smishing easier to execute. It also doesn't help that for most businesses, employees will be using their personal devices.

Types of smishing scams your employees should know

Employees might receive SMS phishing messages targeted at your organization...

  • Fake vendor invoices: Attackers pose as trusted vendors, sending fraudulent invoices via SMS to trick employees into making payments to fake accounts.
  • Executive impersonation: In whaling phishing attacks, scammers pretend to be company executives, requesting immediate actions like financial transfers or confidential data disclosure.
  • IT support scams: SMS messages claiming to be from the internal IT team, asking employees to reset passwords or click on phishing links under the guise of system updates.
  • HR or payroll scams: Fake messages requesting employees update personal or payroll information.
  • Business service updates: Impersonating cloud service providers or software vendors, attackers prompt employees to click on links to "update" company systems, leading to malware installation.
  • Banking alerts: Fake messages claiming issues with bank accounts, requesting personal information or urging users to click on fraudulent links.
  • Delivery notifications: Scams mimicking delivery services like FedEx or UPS, asking for confirmation of delivery or customs fees via phishing links.
  • Tax refunds or payment Requests: Impersonating government agencies (e.g., IRS) offering refunds or asking for payments.
  • Fake two-sactor authentication (2FA) requests: Malicious actors pretending to be legitimate services requesting 2FA codes for unauthorized account access.
  • Prize or lottery scams: Fake messages about winning a prize or lottery, leading to fraudulent websites requesting personal information.
Smishing example

Smishing examples

European Central Bank (ECB)

In 2019, the ECB fell victim to a targeted smishing attack that led to a data breach, affecting over 481,000 email addresses, contact details, and website subscriber data.

UK financial firms

Several financial institutions in the UK reported smishing attacks in 2020, resulting in £2 million in losses as attackers impersonated legitimate organizations to steal personal data and access customer accounts.

Metro Bank (UK)

In 2019, attackers used SMS phishing to intercept two-factor authentication (2FA) codes sent to customers, gaining access to their accounts.

Australia Post

In 2021, attackers sent fake SMS messages to customers, claiming delivery issues and directing them to malicious links.

This led to data theft affecting thousands of individuals.

Smishing red flags employees should watch out for

Urgency: Messages claiming urgent action is needed

Unfamiliar senders: Texts from unknown numbers claiming to be trusted entities.

Suspicious links: Messages containing shortened or strange URLs that prompt you to click.

Requests for personal information: Legitimate companies won’t ask for sensitive data over text.

Spelling errors: Smishing attempts may contain grammar or spelling mistakes.

Unsolicited messages: Unexpected messages asking for action, especially if you weren’t expecting a message from the company or service.

Generic greetings: Use of non-personalized greetings like “Dear Customer” rather than your name.

Promises of rewards or free offers: Claims of winning a prize or offer that seem too good to be true.

Verification requests: Requests to confirm sensitive information like passwords or PINs.

Anatomy of a smishing text

7 Best practices for preventing smishing

1. Implement mobile security policies

  • Implement Mobile Device Management (MDM) solutions to secure company devices from smishing attacks.
  • MDM solutions allow you to manage, monitor, and secure employee devices accessing company systems.
  • Enforce measures like encryption, antivirus software, and the use of secure apps on connected devices.
  • Enforce automatic updates to protect against known vulnerabilities and threats.
  • Make sure all devices are password-protected and only secure networks are connected to.
  • Block unauthorized apps.

2. Monitor and filter messaging services

  • Use spam filters and content monitoring tools to block fraudulent messages, malicious text messages, and scam messages sent to mobile channels.
  • Partner with telecom providers to identify and block phishing text messages and message scams targeting cell phones.

3. Protect company data and systems

  • Prohibit employees from sharing confidential business information through messaging services or other forms of communication unless verified as a legitimate communication.
  • Limit access to sensitive systems using layers of security, such as firewalls, anti-malware software, and restricted administrative permissions.

4. Create a culture of cybersecurity awareness

  • Build a culture of cybersecurity awareness through comprehensive cybersecurity awareness training.
  • This includes regular updates on common smishing scams, smishing schemes, and emerging types of attacks that could target your organization.

5. Encourage vigilance against social engineering attacks

  • Train employees to recognize warning signs of deceptive text messages, such as urgent messages claiming suspicious account activity, confirmation smishing, or promotional offers from reputable sources.
  • Emphasize that legitimate businesses, including financial institutions, delivery companies, and credit card companies, will not ask for sensitive banking details or verification codes via text.

6. Strengthen authentication measures

  • Require multi-factor authentication (MFA) for access to sensitive systems.
  • Avoid relying on SMS-based MFA, as it can be compromised by phishing scams targeting mobile phones.

7. Employee awareness and training

  • Educate employees on SMS phishing attacks, highlighting how these attacks exploit human vulnerabilities through psychological tactics.
  • Conduct phishing simulations to teach employees to recognize suspicious text messages (note: not all solutions will offer this).
  • Emphasize the importance of verifying messages from trusted companies and avoiding sharing Social Security Numbers, bank balances, or other sensitive details via mobile communications.


How Hoxhunt trains employees on smishing prevention

Now that you know the dangers of smishing, what can you do to mitigate risk from these types of attacks across hundreds or thousands of employees?

With Hoxhunt, employees can report suspicious SMS messages with the Hoxhunt iOS reporting app, available on the Apple App Store.

Once employees download and log in to the app, they'll simply click the native 'Report Message' link, shown when receiving a text from a new phone number.

Hoxhunt SMS simulation

Once reported, Hoxhunt sends a push notification telling the employee whether the reported message was a Hoxhunt SMS simulation or a potentially malicious text message.

Hoxhunt SMS notification

In the case the reported message was a Hoxhunt SMS simulation, employees earn stars for recognizing the simulated attack.

Tapping the push notification opens a micro-training, allowing them to earn an additional star.

Hoxhunt reported simulation

In the case the reported message was not a Hoxhunt SMS simulation, tapping the push notification provides the employee with an AI-powered analysis of the message, with instant feedback about potentially-malicious indicators and helpful next steps.

Hoxhunt reported real attack

From there, all SMS user reports are logged in Hoxhunt alongside reporting analytics from other simulations and real threats, so you have a full picture of each employee's risk level and performance over time.

Training employees to identify and report suspicious text messages will keep your workforce vigilant while increasing your visibility into the threats your employees are facing on a day-to-day basis.

Unlocking metrics around smishing enables you to make more informed decisions about the threat that it poses to your organization.

Note: Hoxhunt SMS reporting is in Limited Early Access. To learn more, ask your Customer Success Manager or schedule a demo with Hoxhunt today.

Sources

Smishing Statistics 2023: The Latest Trends and Numbers in SMS Phishing – Keepnet Labs
European Central Bank Breach: ECB Confirms Hack and Shuts Down Website – Forbes, August 2019
70% of UK Finance Industry Hit with Cyber Attacks in 2020 – Information Security Buzz, 2020
UK’s Metro Bank Hit by SS7 Attack – FinTech Futures, February 2019
Mail Disruption Creates FluBot Opening – Information Age, 2021
5 Smishing Attack Examples Everyone Should See – SecureWorld

Want to learn more?
Be sure to check out these articles recommended by the author:
Download now
Get more cybersecurity insights like this

Continue reading

Invoice Fraud: How to Identify Fake Invoices (9 Simple Steps)

Education

December 2, 2024

Hoxhunt Reviews: What Customers Are Saying (Nov 2024)

Education

November 20, 2024

What is a Human Firewall? Examples, Strategies + Training Tips

Education

November 11, 2024