The Evolution of Smishing: 3 Ways to Detect and Prevent Attacks 

Smishing isn’t new. However, it has evolved dramatically in recent years, with increased attack frequency and a much higher quality of the fraudulent landing pages that victims are funneled into.  

At Lookout, we see our customers facing many of these SMS-based phishing attacks. One of our recent surveys found that 75% of organizations have experienced mobile phishing attempts against their employees. While the floodgates may be open, you can stem the tide. The first step toward prevention? Understanding that everyone is now a potential target for smishing attacks. 

Everyone is Now a Target 

Not that long ago, malicious actors tended to focus their efforts on organizations in highly regulated industries. These high-value targets were viewed as possessing the most valuable sensitive data and could offer large payouts. 

Now, everyone is a potential target. For cyberattackers, all data is valuable data, and they want whatever they can get. Smishing is an easy and effective way for them to get access to it.  

The cost to set up a smishing operation is lower than ever. Smishing kits require minimal technical experience to start. Some of the most sophisticated kits cost only a few hundred dollars — pennies compared to the potential payout. 

These smishing kits include fake login page templates and step-by-step instructions to help attackers evade detection. Actors simply need to set up a host webpage, blast their message out and hook as many victims as possible before the page is flagged and removed. These kits also include anti-smishing detection and geoblocking tools to help buy as much time as possible. 

Sending messages in bulk is easier than ever, too. Many kits include scripts that will send thousands of messages to a stolen list of contacts within minutes. All it takes is a single hit to profit. 

Deleting the message is the easiest way to foil most smishing attacks. The problem? People feel the need to open most of their texts, especially if they look reputable. Proper education, proactive protections and clear internal processes can transform employees at your organization from potential victims into the first line of defense against these attacks. 

Three Ways to Prevent Smishing Attacks 

1. Educate Employees on Security Best Practices 

Everyone contributes to the security of the organization because anyone can be a target. Malicious actors aren’t just targeting employees on their work devices. Because hybrid work and cloud apps enable remote access to important tools and sensitive information using any device, threat actors are going after personal devices, too.  

To counteract this, set a series of best practices for employees to follow, with steps like: 

• Carefully read the message and URL before interacting. Look for small spelling errors or lookalike URLs.  

• If the message is unsolicited, reach out to the group it claims to be from. This could range from your IT team to your bank.  

• If your gut tells you something is off, you’re probably right. When in doubt, don’t click the link and don’t respond.  

• Screenshot and report the suspicious message to your IT or Security team.  

Build these practices into your regular IT security training sessions by sending smishing tests as frequently as email phishing tests. In addition, send regular reminders or examples of recent attempts to keep employees informed. A concerted effort can help you and your employees spot smishing attempts and stop them before they’re successful. 

2. Develop Internal Processes for Employees to Alert IT 

The sheer volume of devices and incoming messages makes it difficult to track down individual incidents without some help. Create an internal form or integrate a tool into your organization’s workflows to enable employees to submit information with as little friction as possible. An easy way to do this is to set up a channel on your internal communication platform where employees can submit screenshots of attempts.  

Doing so will allow employees to contribute to the organization’s security posture. It’ll also give you more information about the source of the smishing attempt to help you investigate further. If you can integrate automated reporting that aggregates this data with your other security or incident management tools, even better.  

3. Automate Monitoring and Detection Processes 

As vigilant as we are in flagging smishing attacks, mistakes happen. To mitigate the fallout, organizations need automated systems to help them detect intrusions and prevent further access. Mobile endpoint security systems can help you detect security risks across controlled and personal devices. Then, lean on your cloud security infrastructure to help you monitor for suspicious activity, limit access to sensitive systems and lock out specific IP addresses to limit exposure. 

These are a few small steps you can take to combat the rise in smishing attacks. While you won’t be able to prevent malicious actors from sending them, taking these preventive measures will prevent your organization from becoming their next victim.