Smishing is a cyberattack that is carried out using SMS messages. This is a type of social engineering attack that relies on human trust and carelessness rather than technological vulnerabilities.
Similar to phishing attacks, victims are lured into disclosing their personal information, only instead of e-mail communication, SMS text messages are used. Attackers try to obtain sensitive data from users, which they then try to dispose of. Incoming SMS messages often pretend to come from the bank where the user has a bank account and are trying to steal bank details.
Smishing attacks are carried out in the following ways:
- Using malware - An enticing link with a URL address leading to the download of malware and its subsequent installation on a mobile phone. This malware attempts to masquerade as a legitimate application, tricking the user into entering confidential information and thus sending data to attackers.
- The second way is to link to a malicious website that asks the user to enter personal information. Cyber attackers always try to create malicious websites in such a way that they imitate the real ones as much as possible and thus facilitate the theft of data..
- Target groups are usually employees of the companies concerned, customers of a particular institution, subscribers to mobile networks, university students or residents of the area. The attacker's disguise is usually related to the institution they are trying to access.
The target groups are usually employees of the companies concerned, customers of a particular institution, subscribers to mobile networks, university students or residents of the area. The attacker's disguise is usually related to the institution they are trying to access.
OUR APPROACH AND SOLUTIONS
Social engineering is usually the first step to infiltrating a company. At BDO, we implement smishing and phishing campaigns, the aim of which is to verify what proportion of target users fall victim to social engineering.
- In the first step, it is important to introduce our specialist to the company, to agree on the scope and target groups.
- The next step is to create fraudulent sites that are a faithful copy of the original ones. Differences and substitutions are usually very subtle on purpose, for the reason that the copy is not easily and at first glance recognizable.
- This is followed by the creation of templates to be used in various smishing and phishing campaigns.
- The output is a report that informs how many people did not detect the scam, from which devices and with what frequency they accessed the fake site, etc...
- (If interested) The training that follows the campaigns (and is highly recommended). Target users are introduced to the techniques that have been used and warnings on how to defend themselves, how to recognize them, how to prevent them etc...
CASE STUDY: THE SUCCESS OF SMISHING CAMPAIGNS