The Context
Threat 1: SMS Phishing
What’s the risk?
SMS Phishing – aka SMShing – uses SMS messages to trick people into giving up sensitive information. The chances are you’ve been bombarded by every SMS scam under the sun in the recent past: Ofcom reported that 71% of people in the UK received a suspicious text in just a three month period in 2021.
Why is it increasing?
The huge uplift in SMShing has its roots in the pandemic, when successive lockdowns saw people move their lives and businesses online. SMS scams grew 328% in Q3 2020 compared to the previous quarter, with SMS fraud increasingly industrialised by initial access brokers who sell contact details and sensitive information to criminal gangs.
This momentum looks set to continue in four key areas:
Spoofing SMS sender IDs:
Criminals use SIM boxes (banks of SIM cards wired up to a laptop) to send out bulk messages purporting to be from a bank, delivery service, supply chain partner or other legitimate business contact.
Put simply, cyber criminals will persist with SMShing because they can. Expect to see greater use of personalised spear phishing techniques used in SMShing attacks.
Circumventing email security:
Algorithms, clever AI email gateways and heuristic detection are doing a better job of preventing phishing emails from reaching their targets. So just like whack-a-mole, the problem of phishing resurfaces elsewhere, in the form of SMShing.
Unlike email security, there is little or no innovation in SMS security as yet, so it’s way easier for scammers to get their links in front of people via SMS than using email.
More plausible scams:
Some of us will remember the first phishing emails, full of CAPITAL LETTERS and far-fetched stories. Today’s email phishing attacks are far more sophisticated, and we can expect to see the same increased believability in SMShing messages, as fraudsters have to try harder to gain our trust.
Look out for fewer crude ‘you have won a prize’ types of SMSs, and more that purport to be from your boss, your customers, and other people you instinctively trust.
Ubiquity:
SMS isn’t going anywhere. It’s convenient and popular, and easy for businesses to use. 90% of people open a text message within three minutes, compared to just 20% of people who open an email. So criminals have every incentive to keep using this technique.