Smishing, which is the use of phishing within a text message format, is a technique used by scammers to misappropriate personal data and bank account details which is rapidly on the rise.  You will probably be reading about it more often in the news and thinking it won’t impact you. I suspect though that there are few of us who haven’t received a text of this type in the last month which we’ve had to dodge. They usually look like text messages from a trusted or expected source like a courier, online service provider or bank with an embedded link which they are attempting to entice you to click so that they can draw you in and extract target data. You should look out for text messages that have no attached number or those that are from familiar brand name companies (like couriers) but with different text formats. However more sophisticated attacks could be from numbers you have already associated with suppliers you use (i.e. cloned numbers) making them harder to identify.

While the direct threat is obvious, one of the side effects of this relatively new issue is that it undermines user confidence in the information they are receiving on their mobile device. Phishing emails are now largely neutralised within email services by anti-spam services that are built into both corporate and consumer email clients, but the protection you receive from your operator has not yet caught up with the threat of Smishing. Given that many online services have implemented 2 factor authentication and mobile numbers are part of many backup recovery processes – this could quickly become difficult to manage as circulation of your mobile number increases.

Smishing and healthcare workers

Within healthcare the use of mobile apps to assist with the delivery of care is rapidly on the rise. Healthcare workers are often mobile themselves and benefit from receiving the information they need at the point of care. However, many rely on consumer messaging services which can easily be confused with text messages.  Responding quickly becomes second nature which could be dangerous given what clicking on a smishing text can lead to.

In addition, many mobile app providers use an SMS link as part of their initial sign-on process to authenticate users or as an alternative communication channel should wi-fi not be available. At Alertive, as a provider of software for critical communications, we have already reduced the use of SMS as a backup channel significantly. However where SMS is necessary we are looking to remove the use of links altogether. We want our users to be fully confident of the integrity of all communications that take place using our products.

Reducing the risk

If you operate within a facility like a hospital, one of the best things you could do would be to control the channel – which means testing your wi-fi connectivity and addressing any black spots. Coupled with a secure communication solution this can protect users from having to use SMS for work when there is often insufficient time to carefully consider whether a message is authentic or not.

For those that are more mobile like ambulance service workers we need to look at how critical communications are formatted within text messages to see how they can stand out.

It’s also important that staff are kept updated of these risks through the usual channels. Organisations should add information on how to identify smishing to their Information Security training materials, as well as what can be done to report these issues.  Regular Information Security updates will also help. The NCSC provides useful guidance on Dealing with suspicious emails and text messages and Phishing: how to report to the NCSC.

Which? also provides a useful summary of different types of phishing/smishing being seen here: Which Conversation – Tag: smishing

We will continue our push to move users off consumer messaging onto our secure platform as well as accelerating our efforts to monitor irregular behaviour within communication patterns and the potential risks this can introduce. We’ll continue to monitor how new security threats that are relevant to  the delivery of care in general can be addressed and share this information when it seems relevant.