News

The rise of ‘smishing’ attacks and how to avoid them

Attempts to commit phishing attacks via SMS messages on mobile devices have been coined ‘smishing’ and are on the rise.

31 March 2022 

A survey carried out by Check Point Research (CPR), the Threat Intelligence arm of Check Point Software, has revealed that in the past year, almost half (49%) of organisations worldwide were unable to detect an attack or breach on employee-owned devices.

Any notion that hybrid working and a BYOD (bring your own device) culture were simply part of a temporary response to the COVID-19 pandemic can now also be laid to rest. In data published as recently as February 2022, Statista reported that 30% of the world’s workforce now work exclusively from home. 

The same survey indicated that about 60% of companies were now actively facilitating hybrid working, giving employees the freedom to choose where they log on. But how many of these businesses are fully prepared for the security demands of a truly mobile workforce?

Check Point analysts saw some concerning developments in the mobile threat landscape throughout the past year. The report referenced NSO’s Pegasus, notorious for its ability to gain full control of iOS and Android devices via an elaborate zero-click exploit.

NSO, the group responsible for the spyware, is currently one of the highest-profile vendors of “access-as-a-service” malware, selling packaged hacking solutions that enable affiliate threat actor groups to target mobile devices without the need for homegrown resources. In 2019, Pegasus was used to leverage WhatsApp and infect more than 1,400 user devices, from senior government officials to journalists and even human rights activists.

Another worrying trend the Check Point analysts have witnessed is a rise in SMS phishing or "smishing" attempts. Using SMS messages as an attack vector may seem rudimentary but, as with email phishing, it’s still disconcertingly effective. 

In the report, the analysts noted that the FluBot botnet had made a return in 2021 despite being dismantled by authorities earlier in the year. It spread convincing security update warnings, parcel delivery alerts and voicemail notifications to users that, if they clicked on the link, would infect devices.

IS YOUR BUSINESS CYBER SAFE?

Explore our cyber training and resources to defend against online threats to your business. Plans start from only $10/month.

The Australian Cyber Security Centre (ASCS) has outlined three things businesses can do to safeguard those working from home: 

Beware of scams: Cybercriminals see a crisis as an opportunity. Major change brings disruption, and businesses transitioning to working from home arrangements can be an attractive target.

Use strong and unique passphrases: Strong passphrases are your first line of defence. Enable a strong and unique passphrase on portable devices such as laptops, mobile phones and tablets.

Implement multi-factor authentication: Multi-factor authentication (MFA) is one of the most effective controls you can implement to prevent unauthorised access to computers, applications and online services. Using multiple layers of authentication makes it much harder to access your systems. Criminals might manage to steal one type of proof of identity (for example, your PIN) but it is very difficult to steal the correct combination of several proofs for any given account.

Update your software and operating systems: It is important to allow automatic updates on your devices and systems like your computers, laptops, tablets and mobile phones. Often, software updates (for operating systems and applications, for example) are developed to address security issues. Updates also often include new security features that protect your data and device.

SCAMMERS TARGET PEOPLE NOT COMPUTERS

Train your staff to be the frontline of your defence against cyber attacks with plans starting from $10/month

Found this useful?

Subscribe to our newsletter and receive the best business tips and articles straight to your inbox.

Thank you for signing up to our newsletter. You're one step closer to receiving more insightful information to help better your business.

We take your privacy seriously and by subscribing to our newsletter you agree to the terms of our Privacy Policy available below.