Smishing (SMS phishing) is one of the fastest-growing cybersecurity threats targeting businesses today. If you’ve ever received a text message saying there was some kind of problem, like with your “recent delivery”, your PayPal, or your Amazon account. With instructions to click a link to resolve it, you’ve likely been the target of smishing.
Less than 35% of people know what smishing is. Here’s what your team needs to know.
How Smishing Works
A threat actor sends you an SMS asking you to click on a link. If you click it, you’ll be redirected to a fake website asking you to enter your information, a phishing form that looks identical to a page you recognize, or the site will attempt to download malicious software onto your device capable of tracking everything you do.
For businesses, the stakes are higher. One employee clicking the wrong link can expose company credentials, client data, and internal systems to attackers.
Proofpoint reported that SMS-based scams rose 328% during 2020 alone, and the trend has continued upward as phones become more integrated into daily business operations.
The Most Common Types of Smishing
Smishing attacks most frequently show up as:
- Fake delivery notifications
- Tax and financial scams
- Business email or invoice fraud
- Fake IT or account security alerts
- Health scams
How to Spot a Smishing Attempt
Many legitimate institutions now use text messaging to communicate, which makes smishing harder to detect. Here are the red flags to watch for:
- The message creates urgency, act now or face consequences
- The sender number looks unusual or doesn’t match the company
- The link URL doesn’t match the official domain
- You’re asked to provide personal or financial information via text
- The message is unexpected and you didn’t initiate the contact
If you’re ever in doubt, do not click the link. Go directly to the official website or call the institution to verify.
What You Can Do About It
The good news is that telecom companies are aware of the problem and have taken steps to address it. The CTIA has updated its best practices, using machine learning and shared databases between providers to block suspicious numbers. You can help by forwarding suspicious messages to 7726 (SPAM).
For businesses, here are the most effective protective steps:
- Use a multifactor authentication app like Duo or Microsoft Authenticator instead of SMS-based 2FA, if you don’t authenticate via text, attackers can’t steal that code
- Train employees to recognize smishing attempts before they click
- Establish a clear internal process for reporting suspicious messages
- Watch out for spoofed numbers; hackers can disguise their numbers as someone you know. If a contact reaches out asking for sensitive information over text, call them to verify before responding
- Never provide business credentials, financial information, or client data in response to an unsolicited text
The Bottom Line
Most companies will not request personal information over text messaging. But attackers are counting on your team not knowing that. Awareness is the first line of defense, but it shouldn’t be the only one.
At Bastionpoint Technology, we help Richmond businesses build layered security strategies that protect against threats like smishing before they reach your team. From employee security awareness to endpoint protection and continuous monitoring, we handle the security so you don’t have to.
Learn more about our cybersecurity services or get your free IT assessment today.
Chief Operations Officer / COO
I provide COO and IT Support Services alongside a mid-sized technical support team of engineers for business. Bastionpoint Technology is a managed service provider for businesses ranging from 1-500 users! We specialize in Legal, Medical, and Professional services, but support so much more. Retail, Finance, Healthcare, Manufacturing, Non-Profits, and you’ve certainly heard of our clients. We offer unlimited on-demand services, with an on-demand price point to meet every client’s needs. Just call on us – we put your business first!
