InfoSec Insider

Smishing: Why Text-Based Phishing Should Be on Every CISO’s Radar

Phil Richards, Chief Security Officer at Ivanti, discusses dramatic growth in smishing and what to do about it.

Anyone who uses a smartphone has likely been the target of at least one smishing attack. Smishing is much like email phishing scams, but instead sends deceptive or malicious links through text messages.

Like phishing, smishing tries to trick users into giving up valuable information, such as bank-login credentials, by convincing the recipient that the message has come from a trusted source. While these types of scams have been exploiting email accounts for decades, cybersecurity professionals should be especially worried about the dramatic rise in smishing attacks over the past couple of years.

Even before the era of COVID-19 forced organizations to shift to remote work almost overnight, approximately 81 percent of organizations said their employees had experienced a smishing attack on their mobile devices. In 2020, after lockdowns were in place around the world, smishing attacks proliferated exponentially. One study found that between March and July 2020, these attacks increased by an alarming 29 percent.

Why Are People More Vulnerable to Smishing Now?

Although phishing attacks have been around forever, there are at least a few reasons why smishing is more worrisome for IT security today:

  • It’s far easier to block email phishing on corporate-owned PCs, but today’s remote workers are now using their personal devices to access corporate apps and data. And frankly, there’s just no easy way to verify the authenticity of URLs on smartphones, so users often just click and hope for the best.
  • As of 2020, 2.8 billion users around the world now carry smartphones. The devices are literally everywhere, providing a vast, exploitable threat landscape for hackers.
  • Mobile users typically open and respond to text messages far more frequently than email. Consider that 90 percent of text messages are opened and read almost immediately; meanwhile, the average open rate for email hovers around 20 percent.
  • Personal devices typically lack the robust security used to protect corporate devices.
  • Let’s face it, all too often we’re just not paying attention. How many of us check our phones while doing other activities, such as shopping, eating, watching movies or walking the dog?

And guess what? Hackers know all of this, too. With just a little research and persistence, they can easily scam an employee into revealing their corporate credentials. Once inside the company, hackers can quickly unleash a security nightmare for any IT organization. Remember the Twitter hack from last July?

Since the new era of mass teleworking has pretty much demolished what was left of the traditional network perimeter, CISOs need new strategies for protecting corporate apps and data wherever they are, on any network, device or cloud. The good news is, most CISOs seem to understand that protecting their organizations from mobile threats should be their biggest priority going forward.

The CISO’s Mobile Security To-Do List

In December 2020, my company, Ivanti, commissioned an independent research study from Vanson Bourne to get a better understanding of CISO priorities. It revealed that 87 percent of CISOs across EMEA said that securing mobile devices is now the main focus of their cybersecurity strategies. Nearly 80 percent of these CISOs know that passwords are no longer an effective or secure means of user authentication, and almost two-thirds (64 percent) believe investing in mobile threat-detection software will be a major priority in 2021.

The User Experience Is Essential to Mobile Security

Of course, no mobile-security approach can succeed if it doesn’t improve the user experience. That is even more important today with so many employees working remotely, perhaps on a permanent basis.

Eliminating passwords in favor of multifactor authentication (MFA) is one of the easiest things CISOs can do now to help remote workforces stay productive while minimizing security threats. By requiring biometrics or other factors for authentication, IT can reduce the “phishability” of username and password login credentials, which are incredibly easy to steal through relatively simple means. Just as important, MFA dramatically improves the user experience by eliminating the need to type complex and easily forgotten passwords on small screens.

Although simplified user authentication is a necessary step, automation for mobile security approaches are an essential part of any mobile-security strategy. CISOs know they can’t just rely on fallible, distracted humans to thwart cybercriminal activity. A comprehensive and “always-on” mobile-security approach (available from most cybersecurity vendors) that can detect and prevent mobile threats without impacting employee access should be at the top of every CISO’s to-do list in the year ahead.

Phil Richards is Chief Security Officer at Ivanti.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles