Smishing and Vishing Attempts Surged in 2021

  • SMS phishing (smishing) attacks more than doubled year-on-year in 2021 as cyber-criminals looked to exploit human error to compromise devices, according to Proofpoint.

    The security vendor’s latest annual Human Factor report is based on an analysis of over 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts, 1.7 billion mobile messages and many other data points.

    Proofpoint claimed that the increase in smishing could be down to changing personal habits: as most consumers now use their devices for work, cyber-criminals have spotted a “two-for-one” opportunity. In the UK, over 50% of smishing lures were related to fake delivery notifications, it said.

    The report also revealed a surge in telephone-based threats, such as tech support scams and vishing attempts to distribute malware to users’ computers or devices.

    Typically, such attacks start with unsolicited emails purporting to come from legitimate sources and urging the user to call a helpline. That number takes the victim through to a malicious call center.

    The Proofpoint study also revealed the continued threat to organizations from their supply chains. Over 80% of businesses are attacked by a compromised supplier account each month, it warned, adding that organizations should improve security awareness training around these specific threats.

    Elsewhere, the report warned of the risk to organizations from attacks targeting privileged users. It found that although they comprise just 10% of users, managers and executives account for nearly half of attacks or “severe risk.”

    Similarly, departments that deal with sensitive information like human resources (HR) or finance are more likely to be targeted, it claimed.

    “Knowing where the highest privilege-based risks exist, whether that is individually or departmentally, is a crucial step in defending any organization from attack,” the report noted.

    “High-privilege users can receive additional training to manage the elevated threat against them. Departments dealing with sensitive or valuable data may benefit from additional layers of security or oversight.”