Phishing

Phishing, Spear Phishing, and Smishing: IT Cyber Risks for Smartphones and Small Business Providers

by | May 2, 2018

Guest post by Anthony Hargreaves, MBT, CISA, CRISC

Small Business providers rely heavily on the most current and innovative methods of communicating and receiving vital business information to their customers, to and from their vendors and across operations. Advertising campaigns often use the latest social media platforms to promote discount codes and payment methods as a means of staying up-to-date and securing important sales and added market exposure. The modern customer demographic also increasingly rely on their smartphones as a preferred communication tool and as a means of managing their lives, purchasing habits, business relationships, and finances. Emails are still a life blood of communication, but text messages are becoming an easier, quicker method of staying in touch.

In this technologically connected environment, it’s more crucial than ever that your business’s IT and HR contacts have a policy covering the use of smartphones (both from inside and outside of the business), the risks they pose, and how email and text messages are used.

The public and businesses are becoming more aware of the threat of phishing emails and the recent spike in so-called “spear phishing” attacks. Phishing emails are broad attacks that may be addressed to either your employees or your customers. Usually there’s a link in the email which, if clicked on, will either redirect the target to a bogus web site or potentially install malicious software on the user’s device.

Spear phishing is a more direct, focused attacked where the hackers incorporate personalized pieces of information they’ve gained via social engineering or digital profile harvesting. An easy way they accomplish this is by visiting your website, matching board level executives with their LinkedIn profiles, cross-referencing this with Facebook profiles, and spoofing a website domain similar to your own. (Example: www.savelives.org becomes www.save-lives.org , notice the extra hyphen.)

With all that relevant information, hackers can then craft a convincing email to the finance or HR director that appears to come from a “business executive member” requesting sensitive information such as W-2s or a wire transfer. The hacker may even time this email for when they know the business owner or treasurer is on vacation thanks to vacation photos they’ve uploaded to social media or an airport check-in status update from their Facebook account.

All too quickly, the element of human nature of wanting to help can prompt us to act quickly and respond to what appears to be a legitimate work email. That response is what hackers are counting on to compromise your business, cause you to lose valuable funds, or impact the trust your customer and clients have with your organization.

As more people become aware of these types of phishing email attacks, and your IT department gets better at filtering them out, hackers are now moving towards targeting smartphones with “Smishing” attacks. Smishing, short for SMS + phishing, are legitimate-looking text messages containing fraudulent links. Many trust incoming texts more than they trust emails. Adding to this mix, many 2-Factor-Authentication (2FA) apps and banking organizations use your phone to send you legitimate authorization codes. It’s no wonder that hackers are using this “trust” factor as another way to target people and organizations.

These nefarious text messages may be disguised as an alert from your bank for suspicious activity or for discount or coupon codes, a bulletin update from their favorite business or loyalty program. When you click on the link within the text message, it’s just like a link within a phishing email. You may be redirected to a bogus website or potentially allow malware to be downloaded on your phone. It may even install a key logger to track everything you type and cause all the accounts associated with your phone to be compromised.

So how do you combat smishing attacks?

It’s become more crucial than ever for your business organization to have a cybersecurity program. This is a security awareness initiative that regularly provides information about different security issues and risks your organization faces. It needs to be commuted to both internal and external audiences. At a minimum, you want to provide annual security awareness training for onboarding new staff and on-going training for current employees. Have some key IT security policies in place such as:

  • Information Security Policy (InfoSec)
  • IT Acceptable Use Policy
  • Bring You Own Device Policy (BYOD)
  • Security Incident Response Plan (SIRP)

Your management team must do its due diligence and be regularly apprised of your organization’s security posture. It’s imperative to establish some regular cadence of communication and reporting. A key step for getting this process started is by performing a formal risk assessment. A risk assessment helps baseline the organization and provides visibility into the operations and risks your business faces.

If your organization uses smartphone media technology such as Twitter, Facebook, or a discount coupon app, then smishing will be a potential risk for you. How aware are you of the risks from an end user, IT department, finance, or brand perspective? The trust relationship your organization has with your employees and customers must be protected

If you need some more information on this subject, or want to talk with Clark Nuber about performing a risk assessment for your organization, please contact Anthony Hargreaves at info@clarknuber.com.

Bio: Anthony Hargreaves has been Principal at Clark Nuber PS since January 1, 2016. Mr. Hargreaves joined Clark Nuber PS from Ernst and Young where he enjoyed clients across a broad range of industries. He has extensive IT experience on consulting matters ranging from IT assurance, SOC1 & 2 reports, ERP implementation, cybersecurity programs, to cloud strategy adoption. He is a CRISC and CISA Certified Auditor, and he holds memberships in several professional organizations including ACFE, ISACA, and IIA. Mr. Hargreaves has a Master’s of Business and Technology from the University of South Wales and is passionate about bring scalable cybersecurity programs to Not For Profits and Small Business owners.