What is Smishing?
Smishing (a contraction of SMS and phishing) is the term given to a range of attacks but the most common and dangerous attacks are where the attacker is able to send an SMS using the real brand name of a business and include a URL to a fake site where the attacker collects the customers’ information. Messages may appear in the same thread as legitimate messages making it easy for an unwitting recipient to be fooled that the message is genuine.
“Social engineering” attackers use knowledge of their victims to make their messages appear genuine. This starts with the mobile number and name but can extend to other information including account numbers or address.
As a responsible business interested in using SMS and other messaging channels to communicate with your customers, you can’t help but be concerned every time you see a report of an attack that has resulted in either financial loss for consumers or reputational damage to a business.
Sounds scary. So should you be using SMS at all?
In this blog I describe some of the measures Promotexter and the Philippines Mobile Carriers are taking to protect both your brand and the consumer from malicious actors, while using SMS. Given these steps, I will demonstrate that SMS remains a useful channel but you should still be mindful about the way you use it.
What can be done to protect brands and customers?
Promotexter has responded to the misuse and unauthorized access to SMS messaging services by adding a range of security measures.
Masking Suspicious URL’s
Fraudsters are continuously looking for ways to trick unsuspecting users into submitting personal details, and especially bank details. But one common denominator in Smishing attacks is the use of clickable URL’s, especially shortened or misspelled URLs which look like the original. The use of the number zero to replace the letter ‘O’ is a typical example. Promotexter has introduced URL whitelisting and the masking of suspicious url’s .
Masking URL’s is like removing the detonator from a bomb and renders the malicious message harmless to it’s intended victim. Masking rules are continually evolving as attackers attempt to find loopholes.
As a responsible brand, you should also help to educate your customers, in particular regarding being very careful when clicking on links. Much better to encourage them to type in your website address than to open it from a link.
Sender ID Whitelisting
Promotexter cooperates with the mobile carriers to provide additional safeguards for brands by way of the use pre-registration of Sender ID’s* and the requirement for Letters of Authorisation (LOA) to confirm a Company’s rights to a brand name or sender name*. This has probably been the most important single step in reducing misuse of sender names in SMS. Increasingly attackers are having to look to the use of sim farms** and the use of regular mobile numbers to send their attacks. However, without the branded sender name, attackers are much less likely to fool their potential victims.
A lot of SMS messaging is sent by brands using Application Programming Interface (API), where the message is triggered from the brand’s own system. Gaining access to the security credentials that are included in the API message potentially gives a hacker or fraudulent user the ability to send SMS via API. Given this would usually happen away from the company’s system it typically uses a different IP source address to the one the platform regularly uses.
By whitelisting your IP addresses on the Promotexter platform you make it much harder for smishers to send SMS through your Promotexter account using API.
Two Factor Authentication (2FA)
Another way to protect your SMS account from being accessed by malicious parties is to enable 2FA. This way only designated users will be able to log in is by receiving a One Time Password. This can be activated in Promotexter account settings.
Despite the stories, SMS remains a viable channel for brands to stay in touch with their customers and for OTP messaging. However, a strong focus on Data security and Privacy is essential from all parties and it is important to only use responsible providers such as Promotexter that take the risks seriously and can reassure you that your data is safe.
If a provider is willing to sell you a database or list or mobile numbers, then you should avoid working with them as sending SMS to numbers who haven’t explicitly opted in is prohibited by the carriers and the telecom regulators.
Please talk with us if you need more information on the steps we are taking to protect you and your customers from the risks of Smishing and other attacks.
1 Sender names or Sender IDs are the brand names that appear at the top of an SMS. SMS messages sent using a branded sender name (sometimes referred to as an SID) cannot be replied to.
2 “SIM farms” describe the use of multiple SIM cards in modem devices connected to a computer to send mass SMS blasts or text blasts. Messages arrive on recipients’ phones looking as if they come from a personal mobile number. Typically, SIM farms misuse consumer “unli” plans and carriers attempt to block them as soon as they appear.