According to the Australian Competition and Consumer Commission (ACCC), more than 61% of all phishing scams reported in January 2022 were carried out via text message. Do your employees know what a smishing attack is, and more importantly, how to identify one?
What is Smishing?
Smishing is the term coined to describe when a cybercriminal sends a phishing attack via text message (SMS). These malicious messages contain links to malware or infected sites that often trick victims into providing their personal information such as email addresses, passwords, usernames or financial information.
Like all cyber threats, smishing attacks continue to evolve as Hackers look for ways to create fraudulent text messages to catch out unsuspecting victims.
Common smishing examples can include:
- Financial Scams - Please verify your bank account.
- Phone Scams - Please verify your Apple iCloud ID.
- Postage Scams - You have a package ready to be collected!
- COVID-19 Scams - Click here for early access to vaccines.
- Prize Scams - You've won our competition, enter your details to claim!
The lengths that cybercriminals go to imitate trusted sources in order to trick victims are endless, and with more and more people using their own smartphones for work, Smishing is becoming a business threat as well as a consumer threat. Due to this increased risk, it's important your employees know how to spot a potential smishing attack and how to respond.
Example Source: www.cyber.gov.au
How to identify a Smishing Attack
While some smishing attacks may be easy to spot by their poor spelling, unknown sender numbers and unreasonable requests, many smishing attacks are incredibly convincing.
When it comes to any text message you receive which is asking you to complete an action such as clicking on a link, it is always best to act with caution and be on the lookout for these telltale signs of foul play.
1. It's impersonal - Be wary of texts that start with blank canvas greetings such as 'Hello' and do not address you by your name or account details.
2. It's urgent - Text messages that state they require urgent action such as logging into an account immediately or providing details immediately often catch victims off-guard.
3. It's too good to be true - Unfortunately, if something sounds too good to be true, it often is. If you receive a text saying that you have won a prize, been selected in a competition, or have been given access to something early and need to enter your personal information in order to claim, it's almost certainly a smishing attempt.
4. It's unexpected - If you haven't ordered a package, entered a competition, or started your tax return as an example, it's safest not to click or engage with the notifying text message. These blanket-style smishing attacks hope to catch victims out by coincidence. If it's unexpected, it's always best to clarify with the listed sender via other means of contact (ie phone call) to verify the authenticity of the message.
Cyber Spotlight - Deakin University Smishing Attack
Earlier this year, more than 47,000 current and past students of Australia's Deakin University had their personal information stolen, including their name, ID, mobile number, email address, and special comments including recent unit results, after a single staff member's credentials were compromised and used to launch a smishing attack.
A statement issued by the University on 12 July 2022 stated that:
"A staff member’s username and password was hacked and used by an unauthorised person to access information held by a third-party provider.
This third-party has been engaged by Deakin to forward messages prepared by the University to students via SMS. The information accessed by the unauthorised person was then used to send an SMS, as if from Deakin, to 9,997 Deakin students.
Anyone who clicked on the link was taken to a form which asked for additional information including credit card details. In addition to sending the SMS, the unauthorised person downloaded the contact details of 46,980 current and past Deakin students."
This large scale attack demonstrates the importance of cyber security awareness for employees, and for a cybercriminal, they only have to 'get it right once' in order to compromise an entire database.
How can you protect your business from Smishing Attacks?
As the saying goes, cybercriminals are no longer targeting your systems, but your employees.
It is important that your employees understand the part they play in protecting your organisation and clients’ data.
Cyber Security Awareness Training raises your employee’s knowledge and vigilance on how to identify potential cyber-attacks (such as smishing) and gives them the skills they need to safely take the appropriate action required if they do fall victim to a malicious threat.
Reputable Cyber Security Awareness Training courses educate employees about cyber threats and attacks they may be subjected to every day. Ongoing training helps your employees navigate through the minefield that is cyber and data security and ensures they have the tools and experience to keep your organisation’s systems and data safe.
How can Diamond IT support your Cyber Security?
We work with you to ensure your staff are aware of the types of ever-evolving cyber threats and equip them with knowledge on how to minimise them. Our training provides a high level of cyber and data awareness and comprehension.
Our online Cybersecurity Staff Awareness Training and Cybersecurity Healthcheck can have an immediate impact on the strength of your security.
Our Business Technology Managers (BTMs) and Technology Consulting team are specialists in improving your internal cybersecurity and are ready to speak with you. Contact our team on 1300 307 907 today.