The Smish-and-Grab – Latest SMS & Phishing Trends in 2024
While Hollywood would have you believe that most high-profile 'hacks' involve highly-sophisticated, highly-technical, green-text-on-black-screen exploits, the reality is that many of the breaches that end up in the headlines begin with a socially-engineered employee.
After all, why spend the time and effort to develop the next big 'exploit', when you can just trick someone into handing over their credentials?
While most have heard of email-based social engineering (i.e., phishing) and phone-based social engineering (i.e., vishing), text-based social engineering (i.e., smishing) has quickly become a favorite of cybercriminals.
What is Smishing?
SMS phishing, commonly referred to as "smishing," is a social engineering attack where cybercriminals use deceptive text messages to lure individuals into revealing sensitive information, such as passwords or credit card details.
Nowadays, users have been conditioned to use SMS-based verification and messages as part of standard 2024 operating procedures (e.g., multifactor codes, delivery notifications, doctor appointment confirmations, etc.). With the increase of legitimate text traffic, identifying malicious or fraudulent messages has become more and more difficult.
Unlike phishing emails, smishing messages do not have to bypass email filters in order to make it to the targeted user; increasing the probability that a user will receive the message and have an opportunity to fall victim.
Smishing attacks are on the rise, presenting a significant cybersecurity threat to individuals and organizations.
Spotlighted Statistics
General Awareness: Less than 35% of the population understands what it is. This lack of awareness contributes to the high success rate of SMS-based fraud.
$ Damages: The FBI's Internet Crime Complaint Center (IC3) reported over 240,000 victims of phishing, smishing, vishing, and pharming in 2020, with losses exceeding $54 million. In the United States, consumers lost over $86 million to SMS phishing in 2019, and the prevalence of smishing attacks increased slightly from 75% in 2021 to 76% in 2022.
More Reported Instances: Smishing attacks surged by 328% in 2020, highlighting a dramatic increase in this type of cybercrime, particularly during the COVID-19 pandemic, which hackers exploited to send scam texts related to the virus and vaccines.
Targeted Campaigns: The threat of smishing extended across various sectors, with fake delivery notifications and tax scams being common methods used by attackers. For instance, in the UK, 846,000 people reported tax scams involving fake notifications from Her Majesty’s Revenue and Customs (HMRC) in 2020.
How about a practical example based on a recent engagement?
At SEVN-X, we are consistently asked to perform phishing, vishing, and physical security social engineering as part of our penetration testing. In the last 6-12 months however, we have noticed a considerable uptick in requests for smishing campaigns to be included.
The results have been eye-opening and, in many cases, significantly more successful than traditional emails/phone calls.
During a recent project, we conducted an SMS-based social engineering campaign to test the security awareness of an organization’s employees.
To set the stage, we:
built a phishing website that mimicked a valid login portal in appearance and leveraged a trusted content delivery network (CDN) to make the URL more believable to users
performed public reconnaissance to identify employees and likely cell phone numbers and confirmed our list of ~40 targets with our point-of-contact
built a templated message to impersonate IT support staff
purchased a pay-as-you-go phone and 90 minutes
Within four hours, we had successfully obtained 10 sets of valid credentials (25%) from users during the campaign. As seen below, we were also able to use the text conversation to bypass multi-factor authentication controls.
What can you do to protect against smishing attacks?
Protection measures against smishing attacks are very similar to the phishing guidance people have been receiving for years:
Stay informed about the latest tactics
Verify the source of unsolicited messages
Avoid clicking on suspicious links
Use two-factor authentication (2FA) everywhere you can (if you can't, ask why you can't!)
Update devices regularly
Report suspicious messages to telecom providers and your organization's security team