As the holidays approach, the volume of short message service (SMS) phishing has almost doubled from the same period in the prior year, continuing a trend of SMS-text phishing growing as a vector to attack mobile users and their devices, messaging-security firm Proofpoint stated in a blog post on Nov. 23.
In the first half of 2021, global reports climbed by 270% compared to the same period in 2020. While the recent surge is almost entirely aimed at consumers, those attacks can easily cross over to business systems, especially as many employees are working remotely and from their own devices, according to Proofpoint.
SMS phishing is also only the initial attack vector. Many attackers install malware on target devices after a successful compromise, says Jacinta Tobin, global vice president of Cloudmark operations at Proofpoint.
"Smishing attacks are becoming more sophisticated and there are other attacks using malware which can control significant device functionality," she says. "These sophisticated smishing and malware attacks pose serious risks to mobile users and opens the door to enterprise-type attacks."
The end of the year has become an annual focus of attackers aiming to profit in some way from the massive economic activity that accompanies the holiday season. In the past, the most common tactics included unsolicited email messages or advertising fraud.
Use of text messages as a phishing vector has become more popular because it is effective. Text messages have a 98% open rate, and 90% of messages are opened in the first three minutes, according to Proofpoint. Further, the success rate — as measured by the proportion of users that click through to an attacker's page — is eight times that of email phishing.
Attackers are also using databases of stolen or purchased subscriber information to personalize text messages, adding first names and other details to make the text more convincing, Tobin says.
"Historically, spelling mistakes and suspect websites were tell-tale signs of a scam," she says. "Attackers are now increasingly more sophisticated and use social engineering techniques to trick."
On the consumer side, SMS scams are financially motivated and aim to collect either credentials or credit card account information. Most involve a fake package delivery notification, ask for a credit card to claim the delivery, or send victims to a website where they can collect their credentials. Attackers also occasionally offer discounted or free products, if the victim fills out a survey, and request credit card information at the end of the process.
"Holiday scams and smishing are really about getting money," Tobin says. "There is a considerable market for credential information on the Dark Web and fundamentally the attackers are driven by financial motives."
Consumers should look out for suspicious messages that may describe packages they did not order or transactions they never conducted, she says. Mobile users should always avoid downloading and installing software that they did not specifically request.
Businesses should worry as well. More than 60% of companies around the world, and 81% of US companies, have been attacked through smishing, Proofpoint says. A third of companies have seen more than 10 smishing attacks in 2020, according to the company's "2021 State of the Phish" report.
Further, consumer devices are often used for business reasons and may have access to the corporate network, making attacks against mobile users problematic. Any mobile device that is compromised could leak sensitive business intelligence or allow access to the business' internal network.
While many significant steps to combat smishing remain outside most businesses' purview, both security training and deployment of multifactor authentication can reduce the threat that phishing attacks pose. Security training makes employees more suspicious of messages coming through SMS channels, and multifactor authentication prevents attackers from gaining access with a simple username and password.
Industries can step up to help as well. Mobile network operators should collaborate with government and industry groups to find ways to block massive phishing campaigns, Tobin says. Mobile phone and device makers can improve user interfaces to provide better signals of messages' legitimacy and ease the reporting of text-message abuse, she says.
While holiday-themed smishing has surged, the increase in SMS attacks over the past year is likely driven by the increase in COVID-themed SMS scams. Text messages leading to fake pages purporting to be the Internal Revenue Service, Federal Emergency Management Agency (FEMA), or other government agencies has become common.
"Scammers can use links in text messages to install malicious code on your phone or launch a phony webpage to collect personal, health insurance, or financial information for use in other scams," the US Federal Communications Commission stated in an August advisory. "COVID-19 text message scams offer cures, warnings about the need for a test, or 'special offers.'"