Phishing SMS Attacks Accelerate Voice Attack Success

Posted November 23, 2021

If you follow cyber security, you are likely all too familiar with the social engineering attack called phishing where an attacker sends a fraudulent message designed to trick a human victim into revealing sensitive information. We’ve written previously on how to spot these types of attacks as well as how to avoid them and how to educate your employees. Phishing has been around for decades and the traditional attack vector is through vast email campaigns with very low success rates. But even though the success rate is low, the attackers make these vast phishing campaigns work for them through large numbers. These traditional phishing attack methods are in direct contrast to spear-phishing or whaling attacks where high-profile targets such as CEOs are directly targeted.

Spear-phishing campaigns, with their more targeted nature, will even utilize voice phone calls initiated by real human beings to further lure the intended victim. When voice calls are used, the attacks are known as vishing or voice phishing. Other more widespread vishing campaigns will use automated dialers and text-to-speech synthesizers to cast a larger net. Vishing attacks will often make false claims of fraudulent activity on the victim’s bank accounts or credit cards and spoof the caller ID to look like the call originated from the impersonated bank or institution.

The attacker’s goal in all phishing campaigns is to extract information they can use in subsequent attacks or to advance the current attack. In traditional phishing campaigns, this is usually accomplished by directing the victim to a fraudulent web page made to look like a legitimate resource where information is collected or the user is tricked into downloading malware.

With the rise in SMS usage for multi-factor authentication and even banking transaction and fraud alerts, savvy attackers are leveraging this SMS familiarization and adding traditional text messaging to their attack platforms. The phrase “smishing” has been dubbed for use when SMS is used as the attack vector.

In a smishing campaign, the attackers may send out millions of text messages such as the example below to begin an interaction with potential victims. Any targets who respond to the SMS message will then receive a voice call that looks like it originated from the financial institution (J.P. Morgan Chase in this example).

This combining of SMS messages along with voice call campaigns is finding a high success rate with targets because the process seems very legitimate. In some cases, the attackers are even calling the bank directly and impersonating the victim after the victim’s SMS response. This creates a contact record with the bank so a victim who calls the bank to confirm the contact is told the call was legitimate. And while the attackers have the victim on the phone, they may even send their own SMS verification code pretending to be part of the financial institution’s authentication process.

With the integration of SMS, voice, and email, phishing attackers are becoming very clever and also very successful in their scams. Some guidelines to help protect you and your employees from smishing and vishing are:

Never trust caller ID for identification
Only trust voice calls that you initiated to known or trusted phone numbers
Don’t follow links sent via SMS
Monitor and block suspicious outbound DNS requests
Implement scanning to ensure malicious files don’t reach the network or endpoints
Utilize sandboxing to detonate suspicious files
Require multi-factor authentication

Kevin Willette

Kevin Willette is Partner / CEO of Verus Corp. His focus is ensuring complete customer satisfaction and providing as much or as little support as is needed for the individual client. Kevin knows that plenty of places do IT services, but what sets Verus Corp apart is the local feeling and the commitment to doing things right the first time. He has always wanted to be a business owner because it affords him the opportunity to offer a service that was better than anything clients had seen before. His true goal is to help customers make their businesses better by removing potential IT barriers. Kevin served as chair for Habitat for Humanity during his time at Minnesota State University, Mankato. He has also served on the WatchGuard Advisory Council since 2016. Kevin’s work with Verus Corp has helped them achieve awards as the WatchGuard Partner of the Year and Cisco Select Partner. Kevin graduated from Minnesota State in 2000 with a major in Business Marketing and minors in Business Administration and Music.