The Human Element

Over the last decade the world has become vulnerable to the few that wish to exploit the human element.  People are the most vulnerable piece of the puzzle when it comes to data loss.  Organizations have looked to technology to mitigate their risk and although it does help control their risk, it is still critical to look at the source of the vulnerability and attempt to “seal the leak”.

Phishing is one of the largest and most successful methods cyber criminals use to gain access to credentials, deploy malware, gain access to internal systems, etc.  This has only increased because of their continual success; however, it is getting harder.  Cyber criminals are begin challenged to change their messaging, to be more targeted, and to do what it takes to get through the SPAM filters.  And most important, people are getting smarter.  They are more skeptical when they receive an email from an unknown person.  But the plethora of data breaches have given these cyber criminals the data needed to break down that skepticism.

Target Phishing and Smishing

Once information is made available on the dark web, cyber criminals can link different data points together to develop targeted attacks against individuals. For example, nefarious actors may also have access to information about workplaces, schools, or other businesses that have been breached. By combining this information, they can learn a lot about a person and fabricate emails that seem legitimate.  And it only takes one click.

Cyber criminals spend most of their time trying to find the easiest victim.  People are more aware of phishing scams, and many will look at emails more closely.  Cyber criminals know this and now their next step is to change it up and send a text or email posing as a company you trust, or even a person you know personally, such as your boss or coworker.   Adding smishing, phishing using SMS/text messaging, to the puzzle, it starts to break down the walls of skepticism.

For example, if you are a user of social media such as LinkedIn or Facebook, you have already published key pieces of data about yourself.  Next, the data breaches that have already occurred have given additional information to these criminals to be used together to make a more targeted list.  Let’s say you are responsible for sending large sums of money on behalf of the company you work for, which can be determined by your job title, you may not even think twice if you get an email with wire transfer instructions from someone who appears to be your boss. Cyber criminals can use similar tactics to convince you to divulge passwords and other credentials for bank accounts, PayPal, or other accounts that could allow them to commit fraud or access the money in your accounts.  If you are well trained and educated about phishing, you may not move forward with an email alone; but would you have the same reaction if you received a text message or if you received an email and a text message that seems to confirm it?

Smishing Impact

The trend of smishing is on the rise and the technology that is there to try to filter out SPAM in your email is not there for your text messages.  Cellular providers are going to be faced with a battle to attempt to stop the delivery of these types of messages. Smishing is a reality, and everyone should understand that this is the latest tactic, so be vigilant. 

What to Look for

Regardless of Phishing or Smishing, here are some tips to try to avoid falling prey:

1. Look at the sender email address or phone number. Even if the name looks familiar look at the actual email address and phone number and make sure they match up to what you believe is the correct information.
2. If there is a link in a message, does it go to where you believe it should? Always better to not click on the link and go directly to your browser and sign into your account directly and not through a link from a message, no matter how convenient it is.
3. Does the tenor of the message express urgency? If so, it may be a scam.
4. Even if it asks you to call (a lot of smishing will do this), they will answer and attempt to convince you that they are a support center and ask for credentials, account numbers, etc. If you do not know the number, don’t call it.  Look up the support number and call it directly if you want to verify the message.
5. Don’t click on any tiny URL as it is a way to mask where the email or text is navigating you to.
6. Once you determine it is a phishing or smishing attempt, block the email address or phone number.