Top 5 tips to protect your business against smishing attacks

They have your phone number. And they know who you are - a curious but cautious business owner. With data in their hands they may have tracked some of your employees as well. The cyber attackers know now that a lottery ticket or a ‘you have won’ reward link is no longer helping them phish anybody. People have gotten smart. So how do they now continue infiltrating organisations? And is the fall-out of this cyber attack included in your cyber insurance coverage?

With Smishing! Smishing is a type of cyber attack, wherein you receive a compelling text message that tricks you into clicking a link and sending the attacker private information or downloading malicious programs to a smartphone - it could be your personal or company phone.

The IC3 (Internet Crime Complaint Center), the FBI’s cybercrime complaint division reported over 240,000 victims of phishing, smishing, vishing (phishing over the phone where a hacker makes a phone call or leaves a voice message), and pharming (when a hacker redirects users to a fake site in order to steal their sensitive info), costing over $54 million in losses.

Before we delve into your cyber insurance coverage details, let’s take a look at the 6 common sleazy smishing messages that are actually masked cyber attacks.

6 Common Smishing Messages

Here are 6 common messages that are seemingly normal, but are in fact smishing/potential cyber-attacks:

1. A message claiming to be from a financial institution, saying the recipient’s bank account is locked or experiencing suspicious activity and asking them to click a harmful link to remedy the issue.
2. A message impersonating a well-known retailer (e.g., Amazon, Costco or Walmart), encouraging the recipient to download a malware-ridden application to receive a gift card or similar prize.
3. A message claiming to be from an attorney or law enforcement, saying the recipient is facing legal trouble or criminal charges and urging them to call an unknown number for more information
4. A message impersonating the government, asking the recipient to click a suspicious link for details on their taxes or participation in a federal loan program
5. A message claiming to be a research organization, requesting the recipient download a malicious application to complete an informational survey
6. A message impersonating a delivery service, informing the recipient that they are receiving a package and providing them with a fraudulent link for tracking the item

If a recipient is tricked into doing what a smishing message asks, they could end up unknowingly downloading malware or exposing sensitive information, such as login credentials, debit and credit card numbers or Social Insurance Numbers. From there, cybercriminals may use the information they obtained from smishing for several reasons, such as hacking accounts, opening new accounts, stealing money or retrieving additional data. Since individuals may use their smartphones for work-related tasks, smishing has the potential to impact businesses as well. For example, an individual who falls for a smishing scam could inadvertently give a cybercriminal access to their workplace credentials, allowing the criminal to collect confidential data from the victim’s employer and even steal business funds.

There are two parts to such cyber attacks for your business: 1- Pre-attack preparedness - methods to implement within your organization & reviewing your cyber insurance coverage. 2- Post-attack action - how to lodge a complaint with the right authority.

Top 5 tips to protect your business against smishing

Here are top 5 tips that you can implement to effectively minimize smishing exposures and prevent related cyberattacks:

Conduct Employee Training

The best way to prevent a cyber attack is through awareness. This can be done by conducting training for employees and raising awareness regarding smishing detection and prevention. This training can instruct employees to:

• Watch for signs of smishing within their text messages (e.g., lack of personalization, generic phrasing and urgent requests)
• Refrain from interacting with or responding to messages from unknown numbers or suspicious senders
• Avoid clicking links or downloading applications provided within messages
• Never share sensitive information via text
• Utilize trusted contact methods (e.g., calling a company’s official phone number) to verify the validity of any request sent over text
• Report any suspicious messages to the appropriate parties, such as a supervisor or the IT department

Ensure Bring-Your-Own-Device Procedures

Most businesses allow employees to bring along their personal phones to the workplace and some even require them to use it for business purposes. In such cases, implementing procedures such as using a private Wi-Fi network, implementing multifactor authentication capabilities, conducting routine device updates and logging out of work accounts after each use - are some solid ways to prevent cyber attacks. These procedures can help deter smishing attempts and decrease the damages that may ensue from smishing incidents.

Implement access controls

Another important method to curb smishing infiltration is by leveraging encryption services and establishing secure locations for backing up critical data in your organization. This helps control the access to sensitive information of your organization.

Utilize proper security software

Always ensure company-owned devices are equipped with adequate security software. These security software, in most cases, can halt infiltration by cybercriminals - stopping smishing messages from reaching recipients’ devices and rendering harmful links or malicious applications ineffective. Ensure all smartphones used in the organization possess antivirus programs, spam-detection systems and message-blocking tools. Security software are the most effective when routinely updated.

Purchase sufficient cyber insurance coverage

Most business owners may not be fully aware of all the cyber coverage that entails their commercial insurance policy. If that’s you, then it’s vital for your business to secure proper cyber insurance to protect against potential losses stemming from smishing incidents. You can always reach out to a trusted insurance professional to discuss the level of the cyber insurance coverage for your particular business needs.

What to do in the case of a smishing attack?

If you suspect that you or someone from your organisation has fallen victim to a smishing scam, don’t hesitate to contact the Canadian Anti-Fraud Center to report it.

Canadian Anti-Fraud Centre Contact: Website: https://www.antifraudcentre-centreantifraude.ca/ Toll free: 1-888-495-8501 Monday to Friday, from 9 am to 4:45 pm (Eastern time). Closed on holidays.

Purchasing sufficient cyber insurance coverage that is best suited for your business needs is your armor in prevention and protection against smishing. Connect with Case Insurance Brokers to learn more on how to insure your business against cyber smishing. Reach out to us here: caseinsurance.ca