• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Mobility, Network Security

Concerned About Phishing and Smishing Attacks? PKI Can Help.

Enterprises can deploy PKI to shore up network infrastructure to prevent email phishing and its text-based offshoot, smishing.

November 3, 2021 Ed Giaquinto Leave a Comment

Smishing and Phishing PKI
fizkes/stock.adobe.com

Just about everyone is familiar with the concept of “phishing” attacks. Scammers and cybercriminals have been using them for nearly as long as email has been around, sending thousands (even millions) of emails designed to trick recipients into giving away money, personal information, or other valuables. Phishing was one of the earliest cyberattacks based on social engineering, targeting not a weakness in the security or network infrastructure itself, but the humans using and supporting it.

Ask most people and they will say they think they are smart enough to sniff out a phishing email. However, phishing remains popular because it still works—after all, humans are prone to human error, and attackers only need a handful of victims to fall for the scam out of the millions of people they target.

For IT and business leaders looking to help their employees—and thus their organizations—avoid becoming the next victims, Public Key Infrastructure (PKI) can help. To shore up their network infrastructure against even social engineering attacks, enterprises can deploy PKI and stop email phishing and its text-based offshoot, smishing, in their tracks.

The Rise in Phishing and Smishing

The COVID-19 pandemic spurred a massive shift to remote work. Cybercriminals jumped on the opportunity to take advantage of distracted and isolated workers separated from their usual support systems and IT safeguards. This prompted an unprecedented increase in phishing attacks, with some enterprises estimating a rise of 667 percent in phishing emails in the first month of the pandemic alone. Google also indicated that it registered a record 2 million phishing websites in 2020.

Related: Report: 83% Of IT Professionals Say Remote Work, Security Straining IT Staff

More recently, “smishing” has become a problem. Smishing, a portmanteau of “SMS” and “phishing,” uses essentially the same social engineering-based tactics as standard phishing attacks, but executes them via SMS—the most common text messaging service component. Unfortunately, while people are generally looking for phishing emails, they are not yet conditioned to expect text-based scams. This has created yet another opportunity for attackers, who have adopted smishing techniques en masse, prompting the FBI to issue a warning to smartphone users to be on the lookout for these scams.

While the crime of smishing is still relatively new, it already made a significant impact. The FBI’s Internet Crime Complaint Center reports smishing attacks cost Americans in excess of $54 million in 2020—a number expected to rise significantly in the coming years. And while many of these attacks are targeting individuals, like phishing they represent a potential gateway into corporate networks—which means taking steps to protect employees from both phishing and smishing attacks should be a priority for all organizations.

Addressing the Smishing Menace

When it comes to stopping smishing, employee training isn’t enough. Decades of training workers to watch out for suspicious-looking emails hasn’t stopped phishing attacks, and it isn’t likely to work for smishing either. This isn’t to say training isn’t a good idea—it absolutely has a place—but it’s not going to solve the problem on its own. And fake texts can be especially difficult to spot, since most people won’t question a text message that appears to be directly from their boss or IT manager.

As with email, this is the result of a system without inherent authentication or trusted identities. Both text and email identities are dangerously easy to spoof, which makes employees sitting ducks for phishing and smishing attacks.

Related: Microsoft Warns of Sneaky Phishing Campaign

Worse still, even when an attacker is caught using a spoofed identity, there is little recourse for the victim and rarely any consequence for the attacker. Today, any attacker can send a password reset request, package delivery notification, or other message designed to trick the recipient into inputting personal information—and most will be none the wiser.

Ed Giaquinto, CIO SectigoEd Giaquinto is CIO at Sectigo, a cybersecurity provider of digital identity solutions, including TLS / SSL certificates, DevOps, IoT, and enterprise-grade PKI management, as well as multi-layered web security. With experience gleaned from 30 years of strategic planning and IT process development, Giaquinto oversees IT and support, leading initiatives around change control, onboarding, proof of concept, customer communications, service, and innovation in operational practices. He is also an Advisory Board Member for Rutgers University Cybersecurity certificate program.

While there are a number of candidates for achieving the necessary levels of trusted identity, the primary—and most ubiquitous—one is PKI technology. PKI technology can be used to integrate cryptographically provable identity across every device. In fact, it is already used to secure websites, email servers, IoT devices, and more.

PKI-backed digital certificates serve to identify and authenticate users within an organization so those receiving an email or text message can be certain the sender is, in fact, who they claim to be. Rather than double-checking email addresses or phone numbers for every incoming message, employees can simply confirm at a glance whether a valid digital certificate is in use, making it easier than ever to identify potential scams.

Ensuring Safer Communications

Cybercriminals will continue using an attack tactic until it no longer bears fruit, which means phishing and smishing attacks will remain in use until defenders can reliably stop them. Since human error is unavoidable, organizations need a better solution than education and training.

Fortunately, PKI represents a potential solution—one that is already used by nearly every organization, whether they know it or not. Provisioning company devices like laptops and smartphones with certificates capable of identifying and authenticating digital communications represents a critical step toward solving the problem of phishing and smishing, and it is a step that every organization can and should take.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: phishing, PKI technology, Smishing, SMS, text-based scams

Related Content:

  • FTC Ring FTC Accuses Ring of Watching Private Videos, Poor…
  • Threat Detection Trends, 2023 Hacking Trends, Expel New Email Rules, MFA Bypass Are Top Hacking…
  • Lucidworks logo Lucidworks Strengthens Partnership with Google Cloud
  • Crowdstrike Charlotte AI CrowdStrike Launches Virtual Security Assistant Charlotte AI

Free downloadable guide you may like:

  • Download TechDecisions' Blueprint Series report on Security Awareness now!Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

    Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared to defend against them in this report from TechDecisions' Blueprint Series.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Download TechDecisions' Blueprint Series report on Security Awareness now!
Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared t...

Workplace Collaboration Tools for Corporate Spaces
Workplace Collaboration Tools for Corporate Spaces

From lobbies and shared spaces to conference rooms and multipurpose facilities, you need high-performing AV technology to effectively share informa...

ChatGPT, generative AI, enterprise, workplace
Blueprint Series: ChatGPT and Generative AI in the Workplace

This latest release of the TechDecisions Blueprint Series explores the new phenomenon of tools such as ChatGPT and how IT leaders should go about d...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.