The variety and sophistication of attacks are greater than ever before, making it harder for financial service organisations to maintain robust protection. But with the right knowledge and systems in place, you can keep your business, your data and your customers safe.
In this blog, we’ll look at one of the most common forms of cybercrime – smishing (also known as SMS phishing) – and share our top tips for defending against it.
What is smishing?
Smishing is a phishing attack that uses text messages to scam victims into handing over sensitive data.
Like phishing, smishing encourages victims to click a malicious link that either downloads malware onto their phone (often disguised as a legitimate app) or tricks them into entering sensitive information (often payment or banking details) into a fake website.
How does smishing work?
Unlike cyberattacks that exploit weaknesses in technology to access information, smishing is a social engineering attack that exploits human trust. Attackers usually masquerade as a known company or person, and prey upon 3 key things:
- Trust: Cybercriminals lower a victim’s scepticism and build trust by posing as a legitimate person or company. Texting is also a more personal channel, which means victims are more likely to have their guard down.
- Context: Smishing attacks have become more personalised in recent years to help convince victims that they’re legitimate. For example, many attackers pose as HMRC during tax seasons since people expect messages from HMRC at that time.
- Emotion: Smishing attacks use urgent, emotive language to override victims’ critical thinking and get them to act quickly – before they realise the message is a scam.
Ultimately, a successful smishing scam relies on attackers convincing people they are a legitimate, trusted person or organisation, so they willingly hand over sensitive information, which is then used to commit fraud or other crimes.
How can you protect your organisation (and customers) from smishing?
One of the simplest ways to mitigate risks from smishing is to give staff and customers thorough (and regular) training to help them spot attempts. Scams have moved on from the ‘Nigerian prince’-esque scams of the early digital age, so teams need to know the level of sophistication to look for. Areas to emphasise include:
- Sender details: Scammers disguise themselves as trusted sources, but if you take a closer look at the number or email address a message comes from, you can usually spot a fake.
- Personalisation: Smishers try to personalise messages, but they don’t always get it right. Messages that lack the correct greeting or opening are often scams.
- Spelling and grammar: Legit communications are usually proofread. If a message is full of typos or weird grammar, it could be fishy.
- Urgency: Be wary of anything that insists you must act immediately or within a very short timeframe.
Can technology help combat smishing?
Everyone makes mistakes. Even the most well-educated and cautious among us will, at some point, fall for a smishing attempt. So it’s important to invest in additional layers of security.
Tech like Engage Hub’s SMS Authenticator lets customers quickly and easily verify any message they get from you. All you have to do is forward the message with a unique keyword to a dedicated short code. SMS Authenticator then uses a series of real-time, automated checks to verify the sender’s identity.
With tools like SMS Authenticator, you can build trust with your customers, proactively reduce successful smishing attacks and minimise the operational costs associated with scams – including calls to your contact centre.
Now’s the time to proactively protect your business and customers