TESTIMONIALS

“Received the latest edition of Professional Security Magazine, once again a very enjoyable magazine to read, interesting content keeps me reading from front to back. Keep up the good work on such an informative magazine.”

Graham Penn
ALL TESTIMONIALS
FIND A BUSINESS

Would you like your business to be added to this list?

ADD LISTING
FEATURED COMPANY
Cyber

Business defences against smishing

by Mark Rowe

Don’t take the bait, says Calum Baird – Digital Forensics and Incident Response Consultant at Systal Technology Solutions, the network and cloud services firm. Smishing is reeling in businesses, he writes.

Smishing has quickly become a major cybersecurity concern for businesses. In fact, in 2023 alone, nearly 75 per cent of organisations worldwide were targeted by smishing attacks. As mobile phones remain an essential communication tool for many employees, cybercriminals continue to recognise the value of using them as an attack vector to gain access, steal data, and commit fraud.

What is ‘smishing’?

Smishing is a form of phishing that uses SMS or messaging apps to deceive victims. The term itself is a combination of:

– SMS (Short Messaging Service): The technology used for text messaging on mobile phones.
– Phishing: A social engineering tactic in which cybercriminals use fraudulent messages (most commonly emails) to trick victims into revealing sensitive information or taking harmful actions.

Unlike traditional phishing which typically occurs via email, smishing exploits messaging platforms like WhatsApp, Telegram, or SMS to impersonate businesses, the government, and even colleagues. These messages often create urgency, coercing victims into clicking malicious links, downloading malware, or directly transferring money.

Since smishing targets mobile phones, cybercriminals have two primary attack avenues to infiltrate businesses: personal devices and work devices. Both can provide access to business resources, such as Microsoft Teams or Slack.

Personal devices used to access business resources pose significant security risks, whether permitted under a Bring Your Own Device (BYOD) policy or used without organisational approval – a practice known as “shadow IT”. Similarly, company-issued work devices are also vulnerable, and whilst these devices typically have security controls in place they are still vulnerable to smishing attacks if employees fall victim to deceptive messages. In both cases, cybercriminals can exploit these devices to infiltrate corporate networks, steal sensitive data, or deploy malware, underscoring the serious threat smishing poses to businesses.

Business risks

Smishing attacks pose significant threats to businesses, with the potential consequences impacting negatively on operational capabilities, finances, reputation and staff morale.

One of the most severe risks is data breaches, where cybercriminals gain access to sensitive company information. Stolen data – such as customer or employee records, financial information or confidential operational information – can be sold on the dark web, used for identity theft, or leveraged in ransomware attacks. In some cases, attackers may demand a ransom in exchange for not leaking or deleting the data, putting businesses in a difficult position.

A successful smishing attack can also lead to widespread operational disruptions. If malware infiltrates a company’s network, IT systems may be compromised, leading to downtime and lost productivity. Employees could be locked out of critical applications, delaying service delivery, halting business processes, and increasing pressure on IT teams to contain the damage.

The financial toll of smishing can also be substantial. Businesses risk fraudulent transactions, where attackers manipulate employees into making unauthorised payments. Regulatory fines may follow if customer or employee data is exposed, violating compliance requirements such as GDPR. Additionally, cyber insurance premiums can rise following an attack, as insurers classify the business as a higher risk – it might also be the case that if controls required under your policy were not in place (such as technical controls preventing the use of shadow IT) your cyber insurance provider might refuse to pay out. Recovering from a cyber incident can also require significant investment, as can making changes to close identified security gaps and improve organisational security posture.

With these risks considered, a multi-layered cybersecurity approach is key for protecting businesses from smishing attacks, often referred to as defence in depth.

Employee training should be the cornerstone of every company’s cybersecurity strategy. Regular cybersecurity awareness programs help staff recognise and respond to smishing attempts, reducing the risk of successful attacks, and in 2023 led to a 70% reduction in security-related incidents. Additionally, implementing clear policies – such as a comprehensive Bring Your Own Device (BYOD) policy – ensures that personal devices accessing company data adhere to strict security guidelines.

Improving technical defences also strengthens a business’s protection from smishing. Mobile Device Management (MDM) software, enforced security updates, and regular compliance audits help safeguard company data and mitigate risks. Fostering a workplace culture where employees can report smishing attempts without fear of blame, a “just culture”, also improves detection and response, creating a security-conscious environment where the focus is on continuous security improvement rather than blaming individuals.

Investing in a Security Operations Centre, whether in-house or outsourced, further adds another layer of protection by providing continuous monitoring and rapid response capabilities against cyber threats.

Many risk mitigation strategies can be implemented at little to no cost, making cybersecurity accessible for businesses of all sizes. While the return on investment may not be immediately visible, the value lies in preventing costly cyber incidents. Avoiding operational disruptions, financial losses, and reputational damage caused by a successful attack far outweighs the expense of proactive security measures. Strengthening defences against smishing and other cyber threats is not just a precaution but a critical investment in long-term business resilience.

Related News

  • Cyber

    UK Cyber Action Plan’s promise

    by Mark Rowe

    The public services we rely on for the good functioning of society are increasingly performed, managed, and accessed digitally. From the highest-security…

  • Cyber

    ChatGPT’s third birthday

    by Mark Rowe

    Sunday, November 30 marks three years since ChatGPT was released to the public. In that time, OpenAI’s generative AI (GenAI) has changed…