What you need to know about SMiShing to protect your business

Hackers are using text messages to steal credentials and other personal information.


SMiShing is a new vector for attack that targets the victim’s cell phone through SMS messages. For the unfamiliar, SMS is the system used to send simple text, picture, and video messages. Phishing is a term used to describe fake emails that trick people into entering credentials like bank account info or a login password. However attackers are increasingly using the same tactics as phishing, but via text message instead of email.

The resulting combination is SMiShing: a strangely capitalized, slightly difficult to pronounce term that The Guardian calls a “rising threat for business owners.” How much of a threat is it? The FBI says it cost Americans $54 million in 2020 alone, with instances sharply increasing year-over-year. Most likely, these attacks are successful (and therefore increasing rapidly) because of the lack of awareness of their existence, leaving victims unprepared to defend against them. Businesses and Managed IT Services like amshot have been implementing training and helping employees guard against “typical” phishing for years now, and the average person is likely familiar with the term and has some basic knowledge of email safety. However, very few realize that the same tactics can be used against them on their own personal cell phone. 

At a broad level, SMiShing texts attack using the same principles as phishing emails. Their primary goal is to have the victim enter sensitive data (or download malware) by pretending to be a trustworthy source. For example, the text may claim to be from your bank, asking you to login to confirm a transaction. It could look like it comes from your HR department giving you access to training sessions, sending you to a fake webpage that requests your work credentials. 

Generally, SMiShing attempts, like phishing, will try to create a sense of urgency. An example might be: “Click here to login in the next 12 hours to confirm your expense report or you will lose access to financial reporting.” The goal is to get the victim to act without thinking about the legitimacy of the request.

The attacker has masked their true identity, created a fake webpage that probably looks identical to the real one, and then sets a ticking clock to spur action. If you enter those credentials into the fake website, the attack now has them and it can wreak untold havoc. 

Of course, the SMS may even directly just ask for credentials or sensitive information. With so much done on our phones these days, an unprepared victim may simply give the information right to the attacker without thinking. It’s important to always remember institutions like banks (and pretty much everyone) will never ask for this information via text message. 

For the more sophisticated attacks that more closely resemble phishing, the key to increasing defense is simply more awareness. The same smart practices that protect against phishing will help with SMiShing if people are aware they can be attacked this way and trained to make the right choices. At the end of the day, SMiShing is a time-tested tactic wrapped in a new package, targeting people as the weakest link in the IT security chain. That’s why it is so crucial to keep employees up to date with IT security training from Managed IT Services companies like amshot.

Looking for more protection? We can help. Set up a free consultation with an amshot pro.