Just about everyone is familiar with the concept of “phishing” attacks. Scammers and cybercriminals have been using them for nearly as long as email has been around, sending thousands (even millions) of emails designed to trick recipients into giving away money, personal information, or other valuables. Phishing was one of the earliest cyberattacks based on social engineering, targeting not a weakness in the security or network infrastructure itself, but the humans using and supporting it.
Ask most people and they will say they think they are smart enough to sniff out a phishing email. However, phishing remains popular because it still works—after all, humans are prone to human error, and attackers only need a handful of victims to fall for the scam out of the millions of people they target.
For IT and business leaders looking to help their employees—and thus their organizations—avoid becoming the next victims, Public Key Infrastructure (PKI) can help. To shore up their network infrastructure against even social engineering attacks, enterprises can deploy PKI and stop email phishing and its text-based offshoot, smishing, in their tracks.
The Rise in Phishing and Smishing
The COVID-19 pandemic spurred a massive shift to remote work. Cybercriminals jumped on the opportunity to take advantage of distracted and isolated workers separated from their usual support systems and IT safeguards. This prompted an unprecedented increase in phishing attacks, with some enterprises estimating a rise of 667 percent in phishing emails in the first month of the pandemic alone. Google also indicated that it registered a record 2 million phishing websites in 2020.
More recently, “smishing” has become a problem. Smishing, a portmanteau of “SMS” and “phishing,” uses essentially the same social engineering-based tactics as standard phishing attacks, but executes them via SMS—the most common text messaging service component. Unfortunately, while people are generally looking for phishing emails, they are not yet conditioned to expect text-based scams. This has created yet another opportunity for attackers, who have adopted smishing techniques en masse, prompting the FBI to issue a warning to smartphone users to be on the lookout for these scams.
While the crime of smishing is still relatively new, it already made a significant impact. The FBI’s Internet Crime Complaint Center reports smishing attacks cost Americans in excess of $54 million in 2020—a number expected to rise significantly in the coming years. And while many of these attacks are targeting individuals, like phishing they represent a potential gateway into corporate networks—which means taking steps to protect employees from both phishing and smishing attacks should be a priority for all organizations.
Addressing the Smishing Menace
When it comes to stopping smishing, employee training isn’t enough. Decades of training workers to watch out for suspicious-looking emails hasn’t stopped phishing attacks, and it isn’t likely to work for smishing either. This isn’t to say training isn’t a good idea—it absolutely has a place—but it’s not going to solve the problem on its own. And fake texts can be especially difficult to spot, since most people won’t question a text message that appears to be directly from their boss or IT manager.
As with email, this is the result of a system without inherent authentication or trusted identities. Both text and email identities are dangerously easy to spoof, which makes employees sitting ducks for phishing and smishing attacks.
Worse still, even when an attacker is caught using a spoofed identity, there is little recourse for the victim and rarely any consequence for the attacker. Today, any attacker can send a password reset request, package delivery notification, or other message designed to trick the recipient into inputting personal information—and most will be none the wiser.
While there are a number of candidates for achieving the necessary levels of trusted identity, the primary—and most ubiquitous—one is PKI technology. PKI technology can be used to integrate cryptographically provable identity across every device. In fact, it is already used to secure websites, email servers, IoT devices, and more.
PKI-backed digital certificates serve to identify and authenticate users within an organization so those receiving an email or text message can be certain the sender is, in fact, who they claim to be. Rather than double-checking email addresses or phone numbers for every incoming message, employees can simply confirm at a glance whether a valid digital certificate is in use, making it easier than ever to identify potential scams.
Ensuring Safer Communications
Cybercriminals will continue using an attack tactic until it no longer bears fruit, which means phishing and smishing attacks will remain in use until defenders can reliably stop them. Since human error is unavoidable, organizations need a better solution than education and training.
Fortunately, PKI represents a potential solution—one that is already used by nearly every organization, whether they know it or not. Provisioning company devices like laptops and smartphones with certificates capable of identifying and authenticating digital communications represents a critical step toward solving the problem of phishing and smishing, and it is a step that every organization can and should take.