How to Avoid Smishing Attacks Targeting Subscription Service Users


If you’re anything like me, you used delivery more during the pandemic than before. Both getting food brought to my door and meal kit boxes mean people don’t have to mask up and go out to the grocery store. But threat actors know that, too. Recent scams take advantage of people signing up for more services, disguising their data theft as company giveaways or delivery alerts. Phishing and its SMS cousin, smishing, continue to be popular ways of gaining access to digital systems, including business email. See how smishing is changing the game in the world of food and delivery.

What Is Smishing?

While phishing attacks try to get you to share passwords or other personal information over email, smishing does the same by text message. For example, an attacker might send a text promising something in exchange for completing a form on a website. If the victim follows through, the attacker can collect information and possibly infect the device.

Watch Out for New and Convincing SMS Scams

Text-based scams are evolving. Where they might once have been marked by poor English or odd formatting, some attackers have learned to disguise themselves. Common text message scam tactics appeal to victims who might be expecting a shipment or may have recently completed a purchase online. The scams might propose a reward for responding or pose as an alert to some serious issue with an online account. Meal kit and grocery scams often fall under these types of attacks.

Attackers know these services are popular. Subscription services of all kinds have seen a steady increase over the last year. Entertainment and food delivery services are particularly popular. As consumer buying habits shifted, so too have takeout food choices. Meal kit subscription services, including both subscription services and grocery store-based meal solutions, saw a steady uptick in demand.

For example, one scam asked cybersecurity consultant Joseph Steinberg to leave a review for a service he didn’t use. This is just one of many variations of the review-for-a-reward smishing scam. Cybersecurity training can help users avoid such scams and protect personal data, too.

How to Stop Smishing for Employers

Spam filters can catch some of these malicious messages, but not all. In addition to a layered approach to security, organizations should also provide their employees ongoing cybersecurity awareness training. A regular feature of such a program could include simulations that cover scenarios similar to those seen in the wild.

To be effective, cybersecurity training for employees should be engaging and relevant. It’s not a good idea to overwhelm people with every possible attack type and its gory details. However, an ongoing training program can provide useful information on novel and unique attack types. These might be relevant to employees outside of work, too. Employers can also use breach and attack simulations to help users better understand how these campaigns work.

Training like this should cover the topic of risk assessment often. Users should be taught to tell the difference between real and scam messages no matter how convincing or where they’re sent. In the case of smishing, it’s also important for users to know what to expect from the systems they use.

Security Awareness Training and Beyond

Training users on how their work devices are supposed to function can help them be safer with connected devices at home, too. Internal systems can provide examples of just-in-time communications that provide context to interactions. And, users who know what to expect from oft-used systems may be more likely to spot odd behavior. As an employer, you can explain how the system will contact its users in new user onboarding procedures and welcome emails. If someone gets a delivery alert by text and you’ve already told them you only send alerts by email, they might be less likely to click. That will help regardless of how well-written the attacker’s text is. 

SMS scams are more than a simple annoyance for the average person; they present a very real security risk for company systems, too. Websites used in these scams can contain malware designed to exploit victim machines, which may be accessing them from corporate networks. SMS-based scams and malware campaigns range widely in terms of the intended outcome, but social engineering is always a key component. Relevant and interesting security training can help stop smishing-related dangers from making their way into your important systems.