3 Reasons Smishing Is Enterprise Mobility’s Biggest Threat

Contributor: Jason Koestenblatt
Posted: 08/09/2017

Text messaging is the most used data service in the world, and in the time it takes you to read and subsequently share this article, close to a billion texts will be sent worldwide, not including app-to-app messaging.

With so many eyeballs and fingers focused on typed communication through mobile devices, enterprises are facing a new world of threats as employees use their equipment for work and play simultaneously. Companies have ramped up their self-phishing techniques in recent years, seeking to build awareness among employees and heighten the company’s overall security hygiene.

So what is this new scam, and how is it impacting the enterprise’s ability to properly secure mobile devices, whether it’s a BYOD or COPE setting?

Smishing is the text message version of phishing, where hackers will send a text posing as a company or person asking the recipient to take action on any number of seemingly mundane activities, i.e., the user’s bank claiming it has detected unusual activity or a congratulatory notice saying the person has won a prize from their favorite store.

The text message will then ask to review the “unusual activity” or “claim the prize” by clicking on and following a link sent with the information. Once the user has opened that link, in most cases, hackers need no further action and will be able to infiltrate the mobile device or accounts therein, grabbing personal data in the forms of passwords and other private information.

When you consider 913,242,000 texts are sent every hour of every day around the globe – which breaks down to a whopping 15.2 million per minute – hackers have a veritable treasure trove of targets. That only widens when one considers the kind of access online criminals can gain by infiltrating a device connected to a company’s private network.

How did such a simple act become the enterprise’s biggest threat?

1.)    Too much trust.
Users trust texting more than most other forms of communication. Phishing emails have been hitting inboxes for decades, with African princes seeking funds or pharmaceutical companies allegedly asking recipients to check out new products. Most users are now able to detect wayward emails and if they can’t, there’s a good shot the spam filter is doing it for them. Texting, on the other hand, is done between trusted contacts. Receiving an SMS message from a new number doesn’t mean it’s sent with ill-intent, it just means that user hasn’t been added to the contacts list yet. In the enterprise, as employees dabble on their phones to check email, collaborate in real-time, or use social media apps during non-work hours, they’re also checking text messages and could very easily tap a link they may feel is trustworthy during the hustle and bustle of daily activities.

2.)    Smartphone saturation.
As each year comes and goes, so do new devices, but one trend is continuing in an upward direction: the number of mobile devices, specifically smartphones, being used in the enterprise. It’s predicted that more than 42% of the global workforce will primarily use a mobile device by 2022. Add to that some 44% of the world’s population will have a smartphone by the end of 2017, and the mobile devices have now become commonplace. With the increased number of devices comes a growing number communication methods, and texting will remain the leader for years to come.

3.)    No one is immune.
While not a member of the enterprise setting, a human rights activist from the United Arab Emirates received a text message in August 2016 on his iPhone that included a link. Fortunately for the dignitary, he did not do so, and submitted the text for research to Citizen Lab. It turns out if he had followed through with the prompt, his phone would have become a tracking device, enabling a hacker to use his camera and microphone remotely. This prompted Apple to release an OS patch. No one knows how the activist’s phone number was gained by the criminals, either. As recently reported by Enterprise Mobility Exchange, 40% of CIOs believe they are the biggest target of mobile security attacks, meaning hackers are aiming at the top to potentially obtain as much private, corporate data as possible.

So how does the enterprise combat a threat that aims at the most used, most trusted source of mobile communication? Solutions that provide secure text messaging, of course, but raising awareness among employees is essential. Self-smishing campaigns will become a priority in the enterprise in 2017 and beyond, focusing on decreasing click-through rates and expanding knowledge of the growing threat. 

Jason Koestenblatt
Contributor: Jason Koestenblatt