African Tech Voices EXCLUSIVE: Getting ahead of smishing in Africa
Africa is a continent where the use of mobile devices is not just a preferred means of communication, but the population’s direct link to the outside world. In Kenya mobile penetration grew 11% between January 2020 and January 2021, to 59.24 million mobile connections with a penetration rate of almost 109% (many people have more than one SIM card) according to the Digital 2021: Kenya report from DataReportal.
Then in South Africa there are almost 96 million mobile subscriptions in a population of approximately 59 million people, with a 162% mobile penetration rate ranking as one of the highest in the world.
It’s a hotbed for security risks as cybercriminals are continually searching for more innovative ways to exploit this for their own gain. With mobile usage comes mobile threats, and we find ourselves in the era of smishing and a time when no mobile device can be considered safe from attack.
According to Palo Alto Networks, smishing refers to text messages sent by attackers to gain personal and sensitive information. Like phishing, smishing attacks rely on tricking users into clicking a link to provide sensitive information, for instance, login credentials. In turn, these can be used to access target systems or even install malware.
Users in Ethiopia receive nearly 120 spam texts per month, the highest in the world, followed by South Africa and Kenya who make up the top three and then Nigeria which is also in the top ten. Fast forward to the present and the increasingly connected world we live in, and one can only imagine how significantly these figures have grown.
What makes smishing such an appealing form of attack can be attributed to the relative ease of getting phone numbers. Unlike email addresses, phone numbers follow a specific pattern. This makes it easy for malicious users to automate the generation of different number combinations and blasting out smishing attacks. Added to this, people tend to trust the text messages they receive more than emails.
With large unemployment rates across the continent, Mozambique 25%, Angola, 30%, Nigeria 33%, and South Africa 34%, it is no surprise that mobile users can easily get lured by the temptations of winning money or getting a much-needed job interview via an SMS. Because phone numbers are often associated with social media, attackers have access to a treasure chest of information to make smishing attempts more personalised and, therefore, more likely to succeed.
Adding further impetus to this is the fact that many mobile phone users are often distracted when it comes to their text messages. They are more likely than not to skim a message instead of reading it carefully, potentially clicking on a malicious link in the process. Like email, it is critical for mobile phone users to scrutinise phone numbers, read messages carefully, and never click on an unfamiliar link.
Smishing spotting 1-0-1
Even though the medium might differ, smishing attacks follow a similar modus operandi to traditional phishing attacks. Cybercriminals are searching for credit card details, login credentials, or other sensitive information they can use to access the corporate back end.
The potential for identity theft is significant when it comes to spear phishing that focuses on specific targets if attackers can lure C-suite executives into clicking on a compromised smishing link. This will enable the malicious user to spoof the compromised person’s email account and phone number unlocking the massive potential for fraud which neither the individual nor the business will easily recover from.
The security company Palo Alto Networks states that a common smishing attack involves banking services. These see smishing messages pose as coming from a legitimate financial institution. They can also be made to appear time sensitive to encourage victims to log in without thinking critically. The best way to react to these types of messages is to bypass the link and go directly to the bank itself. Go to the bank’s Web site, log in to their app, or even call a local branch to verify if there are any issues with a bank account.
Another example of a smishing attack takes advantage of multifactor authentication (MFA). Attackers will send credential text messages to users, encouraging them to sign in. Hackers build these pages to look like authentic credential sites with which users are familiar.
To safeguard against this, we advise users to think carefully about their previous interactions with the bank or other financial institutions. If this is not a normal way to verify their identity, then chances are it is an attempted smishing attack. While some cybercriminals are taking advantage of MFA, the added security provided by MFA remains an incredibly important defence against these and other forms of cybercrime.
Bolstering your smishing defences
Like phishing, smishing is a form of social engineering. The best defence is, therefore, to be as critical with every text message received in the same way a person would be when it comes to emails. People should never feel obligated to respond to a strange text. Furthermore, a person must never click on a link they are unfamiliar with.
Palo Alto Networks also advises that one of the best ways to mitigate against the constant risk of smishing attacks is for companies to embark on ongoing user education and awareness campaigns. Organisations must train and test their employees on how to identify smishing messages. This will significantly reduce the likelihood of a successful attempt.
Beyond education and awareness, a company must also consider adopting a Zero Trust stance. This is where no device, application, and even user accessing the network should be implicitly trusted. Instead, the identity must be verified before being allowed within the organisational perimeter. This is where solutions like endpoint detection and response (EDR) provide broad visibility and machine learning-based detection for real-time threat analysis. EDR can be paired with a security orchestration, automation, and response (SOAR) platform for automation-based threat response.
We live in a time where no SMS or email can be trusted by default. Users need to be aware of this to avoid falling foul of the growing scourge of smishing and phishing.