You may have heard the term ‘phishing attack’ being banded around a lot over the past few years, but despite this awareness within the tech world, it still remains one of the key ways companies fall victim to cybercrime each year.
But ‘smishing’ – SMS phishing – is the new kid on the block and is essentially the text message equivalent of phishing. It’s a cyber criminal’s sneaky way of trying to obtain sensitive data such as passwords and personal details, by masquerading as a legitimate company.
From banks and car insurance firms, to supermarkets and employers, smishing criminals take on many guises and are often trying to get you to complete an action – such as confirm bank details or claim tax relief – which will give them access to your private information.
So, that’s the ‘what’ out of the way, but how can you keep your data and devices secure?
Here, we explore the tell-tale signs of a fraudulent message and the long-term solutions for keeping your staff and organisation safe from potential attacks.
Educating your employees
We’ve authored many blogs about the crucial role your staff play in keeping systems safe from hackers’ phishing attempts, and this same theory applies to smartphones as it does to laptops or desktop computers.
However, simply telling your workforce about the threats which exist is only the tip of the iceberg – they need context and advice on the steps to take if they feel they’ve received a hoax text message or email.
Now, we’re not suggesting that every SME owner across the country can know about the latest cyber-attacks and data-interception techniques which exist – that’s your IT provider’s job – but what is important is that training is put in place to equip staff with the tools to recognise and combat such things in the office environment.
Giving relatable examples
At Q2Q, we leave out the technical jargon when we speak to our clients, because for one, it makes it more confusing and two, it’s not really necessary. And this same logic should be applied when communicating cyber threats with wider personnel too.
Let’s face it, if someone is explaining something that’s overcomplicated, it’s easy to switch off and let your mind wander to what you’re going to cook for tea, or what the weather will be like at the weekend – that’s why it should always be relatable!
Also, while it’s useful to show employees the types of smishing texts which can be sent, for instance, about outstanding TV licence payments, this is only one side of the coin. They need to be exposed to various smishing themes, so they have a greater flavour of what’s possible.
For instance, using the analogy of a car, if you have a flat tyre, you can fill this up with air to make the problem go away, but if your brakes need replacing, the same solution won’t be effective. And this is the same with fraudulent messages. The last thing employers want is their staff only being cautious about one type of text or email when, in reality, it could come masked as any company.
Spotting the tell-tale signs
Just like phishing emails, smishing messages have legitimacy indicators. And while there are too many to count, here are some of the common ones to watch out for:
- How they address you: Are they addressing you by your name or other personalised information? If not, this should start to ring some alarm bells.
- The method of contact: Does your bank usually contact you by email? If so, be sure to question why you’ve instead received a text or phone call. The way brands communicate varies from one to the other, but if you know what ‘normal’ looks like, you have something to compare ‘out-of-character’ communications against.
- Spelling mistakes: These can either be within the subject line of the body of the email, and it’s usually a hint that the message isn’t genuine, so keep your eyes peeled for typos!
- Urgency or scaremongering: This is the primary way smishing criminals try to get people to engage with their content, because they know that fear can cause people to act quickly and irrationally. Common messages claim there is an urgent issue with your account and that it will be blocked if you don’t sort it out immediately, or maybe you’re the lucky recipient of a prize you didn’t know about – either way, if it sounds too good to be true, it most likely is.
- Probing questions: Is the sender asking lots of personal questions or asking you to confirm sensitive information such as your address, bank details and telephone number, if so, these are unmistakeable red flags and shouldn’t be divulged.
- Directing you elsewhere: If the text or email you receive is wanting to send you to another website, this should be viewed with caution. Links within an email should never be clicked unless you’re 100% sure of the sender and you’re expecting it, otherwise this could be a decoy tactic to take control of your computer and harvest all the data stored on your machine.In fact, these days most banks ask recipients to refer to their website for further details and don’t include URLs within the emails themselves.
Handling a smishing attempt
At the end of the day, don’t worry too much if you can’t tell if the text or email is fake or not, because these messages are designed to sound convincing and make users not think twice about their authenticity, but our message is to always question it and think again. But, if you’re not sure, sound it out with your manager.
Of course, smishing and phishing attacks can occur at any time of the day, week, month and year, but there are some key periods when communications are sent to try and hoodwink people. For instance, at Christmas you could receive hoax texts regarding missing the delivery of a parcel, and unpaid speeding tickets are a firm favourite around the time of submitting tax returns.
But, it’s important to remember that hackers prey on the vulnerability of users, and in the case of COVID-19, it’s no surprise that the number of HMRC scams has risen and cyberattacks as a whole have escalated during lockdown. That’s why it’s pivotal to always remain vigilant and if you’re unsure, raise your hand and sound it out with someone else.
Simulating cyber attacks
Here at Q2Q, we’re big believers in contingency planning, that’s why we offer an attack simulation service for companies. However, this isn’t to single anyone out as a weak link within the chain, it’s more of a tool for business owners to see where additional training and education is required, prior to the ‘real’ thing.
If your employees received a fake text or email from the MD, how many would open it? In truth, you can never be sure until you’ve tested the waters and have peace of mind that your team has received the appropriate training.
If you’d like to find out more about smishing or the cyber-attack simulation service we offer at Q2Q, please get in touch with our friendly team!