Smishing attacks and the human element

I was recently interviewed by KARE-111 on the alarming prevalence of smishing attacks. Smishing attacks (also known as SMS phishing) are phishing messages sent via text. I’m sure most of us have been the unhappy recipients of these texts in the past year. The messages tell us that we have missed an important delivery, won (or could win!) some grand prize, or need to re-enter some personal information for an online account. The possibilities are endless when it comes to message content, but the goal of the scammer remains essentially the same—to get you to interact with their message, click a link, and/or provide personal information. But why has smishing in particular become so popular as of late? 

In part because there’s money in it. In the words of one FCC alert, “According to the Federal Trade Commission’s annual Consumer Sentinel Network report, consumers lost approximately $86 million in 2020 as a result of scam texts.”2 But the timing is very opportune as well. Phishing in general has been on the rise, especially throughout the pandemic—which created a perfect storm for rampant phishing activity, from targeting stimulus money to exploiting remote work vulnerabilities to mounting covid-19 vaccine scams. 

Remote working conditions have also meant a greater number of employees using their smartphones for work as well as other devices, making their phones readily available targets.3 Hackers have certainly attempted, often successfully, to capitalize on the changing circumstances that many of us have encountered over the course of the past two years. But even as the pandemic situation begins to improve, it would seem that smishing attacks continue to proliferate. Even though a phishing email may be more dangerous in terms of clicking a link, smishing nevertheless remains a convenient method to hack into the most vulnerable aspect of cybersecurity—the human element. 

Smishing texts are easy to produce and to send, and there are several ways to make them seem more legitimate. As discussed in my KARE-11 interview, it is a frequent occurrence to see a scam text or call originating from your own phone number. There is a greater likelihood of paying attention to a text sent from a familiar number and individuals will be less inclined to block their own number (although that may be recommended in some instances). The sheer number of smishing texts sent increases the likelihood that a recipient will mistakenly believe at least one has originated from a verified source. On the flipside, the problem is so ubiquitous that another issue has arisen—people ignoring “real” messages or blocking actual contacts. 

To avoid becoming a victim of a smishing scam, the same tried-and-true rules apply. Act cautiously when opening messages, avoid clicking on links, and verify sources before providing any personal information. It may also be appropriate to file a complaint with the FTC, contact your wireless provider, or block any suspicious numbers (even your own number). If you happen to give away any personal information or click any suspicious links, it is advisable to keep an eye on your accounts, change passwords, and monitor for any signs of identity theft.

Preventive measures are always going to be your best bet with any cybersecurity threat. Slowing down and taking the time to verify sources is a critical step that’s easy to overlook. In regard to communication methods, be sure you make the effort to establish with clients how they can expect to be contacted and what kinds of information will be requested over email or text. It should be clearly stated that information like Social Security numbers or account credentials will never be requested digitally. 

The human element is a pivotal component in determining the success or failure of a cyberattack. This reality is even more pronounced when it comes to phishing attacks that seek to trick people into interacting and willingly giving valuable information. Work-from-home policies should continue to be revisited and revised as hybrid situations become the norm for many. Education, reporting, and vigilance in keeping up with best practices all go a long way toward maintaining your personal and professional cybersecurity posture. 

MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board. 


1 https://www.kare11.com/article/news/local/breaking-the-news/spam-and-scam-texts-are-on-the-rise/89-19adb26a-eb49-48ef-ab79-072dfcdb92b4 
2 https://www.fcc.gov/covid-19-text-scams 
3 https://www.theguardian.com/business/2021/sep/19/smishing-the-rising-threat-for-business-owners-that-brings-scams-to-smartphones