When it comes to social engineering attacks, phishing is what always comes to mind first. We tend to forget, however, that what makes a successful phishing attack isn’t unique to email; email is simply the medium attackers choose most often. The tactics that hit our inboxes — offers of rewards … time-based pressures … fear mongering — have the potential to be just as effective in an SMS or chat message as an email.
There has been an almost singular focus on email-based attacks, but our 2018 State of the Phish™ Report revealed that 45% of organizations experienced a social engineering attack either by phone (i.e., vishing) or SMS/text message (i.e., smishing) last year. Compounding this, when we analyzed data from our ThreatSim® Smishing Simulation tool, we found that end users were equally as likely to fall for a simulated smishing message as a simulated phishing email (both had an average 9% failure rate across all users in all industries). At a minimum, these statistics show that attackers are branching out beyond email and that users have the potential to fall for these alternative types of attacks.
One critical piece to the success of social engineering scams is trust. In the early days of email, nearly all users inherently trusted that the “from” address on an email could not be forged. (As such, they believed that the Nigerian prince really did hope they could help him.) Over time, many users have been educated and have come to learn that they can’t blindly trust email. But at the root of that change in behavior is the effort employers and other organizations — including media companies — have taken to implement anti-phishing training and raise the public consciousness of email-based scams.
The same efforts haven’t been extended to elevate awareness related to vishing and smishing attacks. And in some ways, these media feel much more personal; when someone calls or texts, it feels like a more “qualified” contact than an email. As infosec professionals, we find ourselves in a situation similar to the early days of email, with attackers exploiting platforms in which users tend to blindly trust the authenticity of the person on the other end.
Something we’ve been thinking about lately at Wombat is what is going to happen when attackers begin to leverage more trusted messaging platforms, such as corporate chat applications. We inherently trust the messages we receive through these systems because, historically, they’ve been harder for attackers to gain access to. These applications used to be housed within the firewalls of an organization, blocked off from public access. But with more and more of these systems moving to or being native to the cloud, and with products adding API’s to support integrations, the attack surface continues to increase. A fair question to ask is what would happen if — via a compromised account or software vulnerability — an attacker leveraged the real-time ability to communicate via your chat system, built a strong back story (a more believable one than they could via email), and then ultimately shared a phishing link or malicious attachment? Would your users be able to figure it out? Would you?
Ultimately, all of this reinforces the importance of supplementing assessments with comprehensive and in-depth training. The volume and variety of email-based phishing attacks an organization faces alone can be overwhelming, but when you combine that with the increasing number of ways users can be attacked, it’s clear you simply can’t effectively educate via assessments alone. Supplementing simulated attacks with additional security awareness training activities not only helps to fill the email phishing knowledge gap, it offers the most effective way to build generalized knowledge that will help employees understand how attackers can attack them, regardless of the platform.