SMS-based phishing attacks are becoming more common, and these attacks can be particularly effective. SMS phishing – commonly referred to as smishing – is the use of SMS messages for delivering malicious URLs. There are several advantages of smishing over phishing. Most companies have email security solutions in place such as spam filters that can easily detect malicious emails, so many phishing emails will not reach end users. Smartphones tend to have fewer cybersecurity controls than computers, so malicious SMS messages are more likely to be delivered. Another reason why smishing attacks have a high success rate is employees tend to be aware of the risk of email attacks but are more trusting about SMS messages as security awareness training tends to focus on email phishing. Further, since smartphones are often accessed on the go, people can be distracted and click links without stopping to think.
Businesses are often targeted with smishing attacks as it is an easy way of getting phishing URLs in front of employees. One recent attack targeted Coinbase employees. Coinbase is one of the world’s largest cryptocurrency exchanges with more than 1,200 employees and more than 103 million users, which makes the company a big target for cybercriminals (although smishing attacks are conducted on companies of all sizes!).
In this attack, SMS messages were sent to employees using a common ruse – They were told they needed to log in urgently about a security issue. Virtually all Coinbase employees ignored the message, but one employee responded and entered their username and password on the phishing page. Smishing campaigns do not need to fool a lot of employees. They only need to fool one person. Coinbase was protected against smishing attacks to a certain degree, as the company had implemented 2-factor authentication, so while the attackers obtained a username and password, those credentials alone would not allow access to be gained to the user’s account.
However, smishing can be combined with voice phishing to get around 2FA and MFA protections. The attackers then called the employee and pretended to be from the Coinbase IT department, and provided the employee with instructions, which were followed, allowing the attackers to bypass the 2FA protection and log in to the employee’s workstation. In this attack, unauthorized access was rapidly detected by the IT team, as the remote access generated a security alert. Fortunately, the attack was thwarted before the threat actor was able to achieve very much, although, in the short time that access was possible, the attacker was able to steal some employee data, including names, email addresses, and phone numbers. Similar attacks have been conducted on companies that did not have 2FA protection, and many attacks have not been detected rapidly by security teams, allowing much more damage to be caused.
With smishing attacks increasing, businesses need to prepare and ensure they have appropriate defenses in place, which should include 2FA or MFA protection on all accounts. As the Coinbase attack demonstrated, 2FA/MFA alone is not sufficient. Whitelisting IP addresses is recommended, and security alerts should be set up and immediately followed up on by security teams.
Web filtering can provide some protection by restricting access to the websites that employees can access, thus preventing them from accessing the phishing URLs where credentials are harvested. Another important measure is to provide security awareness training to the workforce to ensure that employees are aware of smishing and voice phishing attacks. By raising awareness, employers can greatly improve protection against these attacks.
Give TitanHQ a call today to find out how web filter and security awareness training can improve your defenses against smishing, vishing, and other types of cyberattacks targeting employees.