Smishing: Cyber attackers use names you trust to hack your phone (October 21, 2021)
People could be forgiven for dismissing this Cyber Smart Week as yet another ‘awareness’ week, but – as demonstrated by the recent spate of cyberattacks targeting mobile phones using iconic New Zealand company names – ignoring it may be costly.
Author of the book ‘She’ll Be Right (Not!) – a cybersecurity guide for Kiwi business owners – SMB cybersecurity expert Daniel Watson, said that a flurry of texts (smishing) in recent weeks could dupe a higher number of Kiwis because the texts purport to be from recognisable companies like Mainfreight, Courier Post and Spark.
“Scam text messages that, for example, require confirmation of parcel delivery – and there’s a lot of online shopping going on under Covid lockdown – will install malware on your phone. This may enable criminals to steal your banking passwords to extract funds from your bank account.
“They go as far as to instruct the target on how to bypass their own phone’s inbuilt security system. In short, don’t trust apps that don’t come from one of the official app stores,” Watson said.
He warned that the ultimate goal for some may be to use employees’ phones to access the company that employs them.
“It is not uncommon, certainly for SMEs, to let staff use their phones for the business. If the employee accesses company systems using their phone – perhaps for email – there could be trouble.
“Attacks on mobile phones are not new, but they’re certainly upping the ante and getting smarter by using brand names you trust to cheat, rob and steal from you. Bear in mind most people are online shopping, which demonstrates a lot of forethought and strategic intent on behalf of the cybercrime syndicates.”
He offers the following advice to companies that need to improve cyber security via their mobile phones:
- Put in place written policies for mobile devices
Regardless of whether staff use their phones or company phones, policies should apply specific rules and expectations.
“Does the employee know that if they have access to a company system, then in the event of it being lost, they are required to report it and that it may be wiped remotely by the company? Does he or she know that the phone should also have password protection on it at boot?
“If you don’t have those policies in place, staff may not report it, or they may object to sending a remote wipe signal. You want to avoid that because every minute counts.”
- Ensure compliance
Watson said cybersecurity is not something anybody, let alone a business, can afford to take lightly.
“If you have written policies, educate, maintain awareness and enforce when necessary. Use tools, like Microsoft’s 365’s low-cost license upgrade for mobile device management, to make your phones as safe as possible.”
- Install endpoint protection
Watson said anti-virus and other protection software is a must for mobile devices. Some protection software is even free and will help the company maintain control over mobile devices within the company’s ecosystem.
“You need to be intentional about this,” Watson said. “Individuals and companies have to be lucky all the time. A cybercriminal only needs to get lucky once.”