What is Smishing?
Smishing (a contraction of SMS and phishing) is the term given to a range of attacks but the most common and dangerous attacks are where the attacker is able to send an SMS using the real brand name of a business and include a URL to a fake site where the attacker collects the customers’ information. Messages may appear in the same thread as legitimate messages making it easy for an unwitting recipient to be fooled that the message is genuine.
“Social engineering” attackers use knowledge of their victims to make their messages appear genuine, a type of attack often called “spear-phishing”. This starts with the mobile number and name but can extend to other information including account numbers or address.
As a responsible business interested in using SMS and other messaging channels to communicate with your customers, you can’t help but be concerned every time you see a report of an attack that has resulted in either financial loss for consumers or reputational damage to a business.
Sounds scary. So should you be using SMS at all?
In this blog I describe some of the measures Promotexter and the Philippines Mobile Carriers are taking to protect both your brand and the consumer from malicious actors, while using SMS. Given these steps, I will demonstrate that SMS remains a useful channel but you should still be mindful about the way you use it.
What can be done to protect brands and customers?
Promotexter has responded to the misuse and unauthorized access to SMS messaging services by adding a range of security measures.
Fraudsters are continuously looking for ways to trick unsuspecting users into submitting personal details, and especially bank details. But one frequent common denominator in Smishing attacks is the use of clickable URLs, especially shortened or misspelled URLs which look like the original. The use of the numbers or punctuation is typical. For example, you may think all of the following look legitimate but only one is: citbank.com, citi-bank.com and citibank-online.com
Promotexter has introduced URL safelisting for all types of SMS including those from international sources and local clients.
Safelisting of URLs adds an unbeatable level of protection for mobile subscribers. Whether an attacker tries to route their malicious messages through an international provider or even if they are able to gain access to a Brand’s messaging account, any messages sent may only contain a trusted URL that has been verified by us as safe.
Some major mobile carriers are now not permitting the use of generic shortened URLs (such as bit.ly) and neither do we, because whilst they are convenient for brands, they are the most common sources of phishing links. This is particularly important given the destination of a shortened URL can be changed at any time from a safe website to a phishing site, in an attempt to bypass safelisting.
Sender ID Whitelisting
Promotexter cooperates with the mobile carriers to provide additional safeguards for brands by way of the use pre-registration of Sender ID’s* and the requirement for Letters of Authorisation (LOA) to confirm a Company’s rights to a brand name or sender name*. This has probably been the most important single step in reducing misuse of sender names in SMS. Increasingly attackers are having to look to the use of sim farms** and the use of regular mobile numbers to send their attacks. However, without the branded sender name, attackers are much less likely to fool their potential victims.
A lot of SMS messaging is sent by brands using Application Programming Interface (API), where the message is triggered from the brand’s own system. Gaining access to the security credentials that are included in the API message potentially gives a hacker or fraudulent user the ability to send SMS via API. Given this would usually happen away from the company’s system it typically uses a different IP source address to the one the platform regularly uses.
By whitelisting your IP addresses on the Promotexter platform you make it much harder for smishers to send SMS through your Promotexter account using API.
Two Factor Authentication (2FA)
Another way to protect your SMS account from being accessed by malicious parties is to enable 2FA. This way only designated users will be able to log in is by receiving a One Time Password. This can be activated in Promotexter account settings.
Despite the stories, SMS remains a viable channel for brands to stay in touch with their customers and for notifications such as OTP messaging. However, a strong focus on Data security and Privacy is essential from all parties and it is important to only use responsible providers such as Promotexter that take the risks seriously and can reassure you that your data is safe.
If a provider is willing to sell you a database or list or mobile numbers, then you should avoid working with them as sending SMS to numbers who haven’t explicitly opted in is prohibited by the carriers and the telecom regulators.
Please talk with us if you need more information on the steps we are taking to protect you and your customers from the risks of Smishing and other attacks.
1 Sender names or Sender IDs are the brand names that appear at the top of an SMS. SMS messages sent using a branded sender name (sometimes referred to as an SID) cannot be replied to.
2 “SIM farms” describe the use of multiple SIM cards in modem devices connected to a computer to send mass SMS blasts or text blasts. Messages arrive on recipients’ phones looking as if they come from a personal mobile number. Typically, SIM farms misuse consumer “unli” plans and carriers attempt to block them as soon as they appear.