Hackers Have a New Tool in Their Toolbox: Smishing

Lee Kim, J.D., the senior principal for cybersecurity and privacy at the Healthcare Information and Management Systems Society, said smishing through the phone will "definitely" be on the rise.

© Kannapat - stock.adobe.com

By now, anyone with an email address is familiar with the concept of phishing. These deceptive emails are designed to get a user to disclose sensitive information, often by sending emails from fake accounts designed to look like a user’s boss or their bank.

However, Lee Kim, J.D., the senior principal for cybersecurity and privacy at the Healthcare Information and Management Systems Society, says healthcare organizations need to get used to a new term if they want to prevent cyberattacks: “smishing.” The theory behind smishing is similar to that of phishing. The difference is that smishing happens via a person’s smartphone (hence, the “sm” in smishing).

“Smishing through the phone will definitely be on the rise,” Kim says.

Like phishing, smishing begins with an unsolicited message, this time in the form of a text message. Whereas most workplaces have sophisticated email filtration systems that flag or quarantine suspected phishing emails, the same is not true for smishing. “With smishing,people just by habit are opening each and every (message),” she says. “That’s closer to a goal for a criminal, right?” Kim notes that texts frequently use short links that, while convenient, obscure the name of the actual website to which they link.

Hackers have found ways to get around two-factor authentication, Kim says. For instance, if a user clicks on a link that takes them to a decoy modeled after their bank’s homepage and begins to enter their login information, hackers can program software that simultaneously inputs the user’s login information into the real bank website. When the bank website responds by sending a two-factor authentication code via text, the victim will enter it into the fake website, and then the software will enter it into the real bank site, instantly gaining access.

“That’s how it’s so clever and so much more powerful than just simply a phishing email on your desktop,” she says.

Kim says she expects the Federal Communications Commission to address the problem by requiring phone companies to institute protocols to block messages originating from known malicious numbers. But she said it is clear that healthcare information technology professionals should view smishing as a top concern.