What is smishing? Steps to protect yourself and your employees

The next time you receive an unsolicited text message, pause before opening it. Smishing combines short message service (SMS) and phishing and is performed via text or social media messaging. Depending on the cybercriminal's focus and expertise, a smishing attack can trick an individual into entering their login credentials to a fake website, installing an app laden with malware, or simply responding to a text and providing their username and password.

In more sophisticated smishing schemes involving financial institutions, cybercriminals will attempt to log into a financial institution’s website using stolen credentials. They know that this login attempt will cause the site to send a one-time password (OTP) to the legitimate user, which is a security protocol known as multi-factor authentication (MFA). 

To circumvent MFA, which requires users to submit the OTP during the login process, an attacker will pose as the bank or financial institution, contact the individual who received the OTP via text or phone and ask them to share the OTP. Having gathered the OTP from the actual customer, the criminal uses it to access the individual’s account. 

Using their access, criminals will steal funds in the account using the quickest means available, including wires, ACHs, and Peer-to-Peer (P2P) transactions. The criminals will often transfer the money to overseas accounts, making it almost impossible to recover the funds. 

How big of a problem is smishing?

According to Proofpoint, an enterprise security company, the volume of smishing attacks is growing at an alarming rate. In 2023, 75% of organizations experienced smishing attacks.¹ Notwithstanding the financial losses, which some experts peg in the hundreds of millions, a smishing attack can expose an individual’s personally identifiable information, resulting in the stress and inconvenience of identity theft. 

Did the pandemic make it easier to launch smishing attacks?

Throughout the pandemic, cybercriminals took advantage of the disruption to target increasingly isolated and anxious adults. This resulted in exponential growth in the volume of smishing attacks. With many societies in lockdown, cybercriminals sent messages purporting to be from government agencies related to loan programs, availability of vaccines, and emergency loan programs, among other schemes. In the third quarter of 2020, at the height of the pandemic, Proofpoint reported a 328% increase in smishing.²

The threat facing remote and hybrid workers

As society has adjusted to life post-pandemic, many employees continue to work remotely for all or some portion of the work week. For some employees, working remotely means using personal and business devices interchangeably. As employees switch between personal and business devices, smishing is particularly beneficial for cybercriminals as it can unlock personal and business-related data. 

For example, attacks that succeed via an individual’s company-issued device can expose a business’s finances, networks, and reputation to significant damage. A smishing attack delivered via a personal device can expose an individual's data to an attacker, leading to one or more types of fraud.

Smishing will continue to evolve

To avoid detection and maximize their returns, cybercriminals continually refine their tactics. Instead of texting from distant area codes, some attackers spoof their phone numbers, which involves using technology to replace the area code of their device with the intended victim’s area code. They might also spoof the number of a well-known business, medical facility, or government agency located near their intended victim to appear legitimate and convince the recipient to engage with the message.

Protect yourself and your employees

Anyone who uses a smartphone or exchanges messages via social media must be aware of the threat and take steps to protect themselves. Here are steps employees can take to protect themselves. 

1. Resist the temptation to act. Smishing attacks urge individuals to act quickly before they can scrutinize the message and question its legitimacy. Before opening a text and interacting with it, an employee should pause and give themselves time to think. They should be especially wary of texts that mention security, limited offers, or legal issues, as they are often used to trigger action.
2. Businesses will not use texting to exchange sensitive data. While texting is a routine activity, for security and compliance reasons, financial institutions do not use it to gather sensitive data. If in doubt, employees should delete the message and contact their financial institution. If the message is legitimate and urgent, most institutions will follow up via other communication channels.
3. Do not store sensitive data on your device. While many smartphones remain in an individual's possession, such proximity provides a false sense of security. Sophisticated cybercriminals can use smishing to access the data stored on any device. Employees should exercise caution when storing personal data on their phones. For example, they should not store complete passwords, bank account numbers, social security numbers, or any other sensitive data they wouldn’t want anyone to access. 

The magnitude of the losses associated with a smishing attack depends on the attacker's skills and ability to use the data they steal. The more creative the attacker, the greater the potential for losses. While some employees may struggle to delete a text message without opening it, that is often the safest way to act. 

Voya’s S.A.F.E. guarantee

Voya is committed to safeguarding your financial accounts and personal information from the risk of fraud, cyber threats and unauthorized activity. As part of this effort, we have established the Voya S.A.F.E.® (Secure Accounts for Everyone) Guarantee. If any assets are taken from your workplace retirement plan account or Voya-administered Individual Retirement Account* due to unauthorized activity and through no fault of your own, we will restore the value of your account. 

Learn About Voya’s S.A.F.E. Guarantee