How Text Message Phishing Can Affect Your Organization

When you think of a cybercriminal, you probably think of an evil mastermind sitting behind a computer, launching sophisticated attacks over the internet. While some of today’s cybercriminals do use advanced technologies, many simply use the phone to trick their victims. Unlike other attacks, fewer security technologies can detect and stop a malicious text message. Plus, while we are constantly on the lookout for email scams, we let our guards down when it comes to being contacted on our mobile devices. That’s why your organization’s security strategy needs to encompass the potential for Phishing attacks from all sorts of methods, including texts to mobile devices.

What is Smishing?

SMS or text phishing, often called smishing, targets victims via text messaging rather than the traditional email approach. Smishing attacks have been around for a while but gained momentum when the pandemic forced many to work remotely. Now, since more and more people are using their personal smartphones for work (a trend called BYOD, or “bring your own device”), smishing is becoming a threat to organizations. From a business perspective, the biggest risk is hackers infecting the corporate network.

How Does Smishing Work?

A phishing text message will resemble an innocent notification, like the one you might receive from a package delivery company, a bank, or a local government agency. Typically, the attacker wants the recipient to open a URL link within the text message, where they then are led to a phishing tool prompting them to disclose their private information. This phishing tool often comes in the form of a website or app that automatically downloads under a false identity. Additionally, the attacker will disguise their phone number using a method known as spoofing or by using an email-to-text service.

Prevent & Protect Against Smishing Attacks

Organizations can easily prevent these types of attacks with consistent cybersecurity training. Smishing attacks prey on user uncertainty, but a well-trained employee can recognize these attempts for what they are and know what to do — or in this case, what not to do, like click on any links or respond to any of the text prompts. 

Here are a few things to keep in mind that can help protect your organization against a smishing attack:

  • Do not respond in any way. Prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety over the situation, but you can refuse to engage.
  • If in doubt, call the company or organization that supposedly sent the text, using a phone number or website you know to be legitimate.
  • Check the phone number. Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their phone numbers.
  • Use multi-factor authentication (MFA). An exposed password may still be useless to a smishing attacker if the account being breached requires a second “key” for verification.
  • Report all SMS phishing attempts to your IT department.
  • Check your phone settings to see if you have built-in spam protection. 

Phishing attacks are a reality for many businesses today, but that doesn’t mean your company can’t take action to protect itself. At GTS, we offer a variety of security solutions and are happy to help identify places where your defenses could be stronger. Contact us today at (904) 606-6011 or email to learn more.


Paul May