In the mid-1990s a devious, pioneering hacker put into motion an idea that has (by now) touched almost everyone that has an email account. The idea was to email members of the online service AOL with a message that claimed to be from an AOL employee needing certain confidential information such as the members' password or payment information. As early as 1995, the problem grew big enough that it drew the attention of then-President of AOL, Steve Case. Phishing had been born, and was officially "on the radar" of it's first group of victims.
The advice circulated by AOL at the time, "under no circumstances will anyone from AOL ever ask you for your password" eventually became a common refrain from all manner of companies. Banks, webmail/email providers, insurance companies, and just about anyone running a website that engages with your confidential informations, now promise that if you have been asked for your password -- they promise that the request cannot possibly be legitimate.
Fast forward to 2020, and it's hard to find anyone that hasn't fallen victim to a phishing attack, and rarer still to find someone that hasn't at least received (and avoided) an attempt.
Now that phishing is common lingo, and now that cybersecurity tools exist to combat it (see Mail Armor from Havoc Shield), awareness is at an all-time high about the nature of phishing attacks and the tools and tactics to avoid them. Yet, according to APWG, this year is on track to be the most problematic ever -- with 165,772 known phishing sites (sites that phishing emails attempt to get you to visit), up from 162,155 at the end of 2019. The need for increased awareness and improved tooling and training to combat phishing has never been higher.
Bad news. As if using email to impersonate an employee of a financial institution or other similarly trusted entity wasn't brazen enough, hackers have set their eye on the next frontier: SMS.
"Smishing" is on the rise, and it's an adaptation of phishing, but performed via SMS (text message) rather than email. Particularly troubling is the fact that the average professional receives fewer SMS text messages than emails, and from a smaller circle -- often creating a subconscious bias that messages received via SMS are less likely to be from outside of an inner circle of friends or colleagues. The potential for harm is enormous.
Lets raise our game around the typical contents of a smishing message. Here are messages that our team at Havoc Shield has recently encountered, that are representative of the typical types of smishing attempts in current circulation.
These examples include some of the classic phishing attacks, adapted to mobile form: attempts to get you to view an "alert" related to your account, attempts to get you to dial into a phone number to receive a message, and an indication that your account has been locked and that you need to take some particular action to resolve it. All fraudulent. All delivered to the palm of your hand via SMS. And, all very actionable -- given that most of the ways that we view SMS messages on mobile are ones where links and phone numbers are automatically made clickable (normally a wonderful convenience, but a terrible coincidence for a smishing victim).
With phishing on the rise and smishing just getting started, it appears that we're headed in a direction where both technology and awareness to combat this type of impersonation attack will be needed for the long-run. The team at Havoc Shield stands ready to help -- feel free to ease into our platform by trying out our Rapid Threat Test, or getting in touch to walk us through your particular concerns and discuss ways to improve your cybersecurity posture.
Interested in more articles about phishing? Continue here:
Any additional suggestions for article topics about phishing? Drop us a note in the comments section below!