A full 85% of employees use a personal device for work—and nearly all of them have recently received at least one suspicious SMS message.
The same devices that your employees use to access sensitive business systems are being increasingly subjected to SMS scams that cybercriminals use to spread malware, overcome network authentication measures, and manipulate employees with social engineering tactics.
According to our research, a full 85% of employees use a personal device for work-related activities—and nearly all of them have received at least one suspicious SMS message on their personal device in the last three months. The SMS threat has become so pervasive in recent months that it’s been the subject of warnings from both the FCC and IRS while also being central to several recent high-profile security breaches.
In this report, we’ll explore the results of Capterra’s 2022 SMS Scams Survey*, explain how SMS schemes threaten the security of your business, and offer some tips on how to avoid them.
/ What is SMS?
Short message service (SMS) technology, also known as text messaging, was developed in the mid-80s and the first message was sent in 1992. The technology was never intended to be used as a secure communication channel—much like email which has also been an endless source of security woes.
When you send an SMS message, it jumps from one cellular tower to another and is likely stored on the networks of multiple service providers. And while an SMS message might be encrypted during some of its transmission, it likely isn’t for all of it. This (along with numerous other factors) makes SMS a poor choice for use in any authentication or security measures.
Employees are being flooded with SMS scams—that means your business is too
A full 92% of employees have received at least one suspicious SMS message on their personal device in the last three months, and 74% have received at least one in the last 30 days. More specifically, our research finds that the average employee has received eight suspicious SMS messages in the last three months, and 13% have received more than 15.
These fraudulent messages commonly lead to bogus login pages that collect network credentials and other sensitive information. Additionally, malware strains, such as Medusa and FluBot, have been developed specifically to propagate via SMS and infect personal devices.
Once identified, most employees say they delete (58%) and block (54%) suspicious SMS messages, but less than a quarter actually report them (23%).
The most common type of fraudulent SMS message is banking/financial (58%) followed by bogus package delivery alerts (49%), merchant scams (41%), and bill payment requests (27%).
While not among the most common fraudulent messages, impersonation scams came in at 13%, a significant number that should startle all businesses, as we’ll explain next.
New-hire scams are on the rise—and a majority of them involve SMS messaging
Employment scams are a growing problem for U.S. businesses:
Fake-applicant scams involve a job seeker using false information during the application process to hide their true identity, typically to gain access to network credentials or steal sensitive company data.
HR impersonation scams, conversely, use a company's branding to target job hunters with a fraudulent job listing in an attempt to steal an applicant’s personal information.
Another rising threat is the new-hire phishing scam in which a fraudster harvests employment information from sources such as LinkedIn or a company’s directory. The scammer identifies newly-hired associates and targets them with customized messages posing as a new colleague or superior, a type of social engineering that can lead to everything from business email compromise to corporate espionage.
New-hire phishing messages are commonly sent using social media, email, and of particular relevance to this report, SMS. A full half (50%) of the HR professionals we surveyed** report that an employee at their company has encountered a new-hire phishing scam—75% of those incidents involved contact via SMS messaging.
Two in five businesses use SMS messaging for two-factor authentication (this is a bad thing)
For years, security experts have pleaded with businesses and consumers to adopt two-factor authentication as the single most effective way to fight an onslaught of account takeovers and phishing attacks that enable countless online attacks—and it finally appears to have worked.
According to Capterra research***, business use of two-factor authentication (2FA) has grown from 64% in 2019 to 92% in 2022, an encouraging trend that suggests businesses are taking authentication much more seriously in the wake of increasingly severe cybersecurity threats, such as ransomware and a rise in remote work.
Unfortunately, our recent SMS Scams Survey finds that 42% of businesses are using SMS messaging as part of those 2FA protocols. This is a problem because SMS is a generally insecure process and vulnerable to exploitation in many ways.
SMS scams are pretext for attacks on businesses
The recent phishing campaign known as oktapus compromised thousands of credentials at dozens of major companies including Twilio and Doordash[1]. The scheme used SMS phishing to trick employees into entering their network credentials on a bogus login page. The attacker used those credentials to generate one-time authorization codes that were texted to the same employees. The employees then entered the 2FA codes into the same bogus login page, providing them to the attacker and thus completely undermining the companies’ 2FA security protocols.
Another emerging SMS authentication weakness is known as MFA fatigue. In this scenario, threat actors use stolen credentials to continually request second-factor authentication codes until the victim has finally had enough with the continual text messages and allows access. One reason this works is because at many companies, one person may be in charge of an account and be responsible for allowing access to numerous employees.
One more reason you should avoid using phone numbers for two-factor authentication is SIM swapping, whereby a criminal takes over a phone number by swapping a victim’s phone number to a new device and intercepts their messages.
So not only is SMS being used to directly manipulate new employees with social engineering tactics, it’s also being used to subvert 2FA security methods meant to protect your company’s network.
Don’t let SMS lead to SMH after a security incident
SMS is a useful and casual communication channel, but for all of the reasons covered in this report, businesses must view SMS as a security threat and take action to prevent its use in authentication and phishing schemes.
Stop using SMS as an authentication factor. Instead consider using more secure options such as authentication apps (e.g., Duo, Google Authenticator), biometric authentication, or physical authentication keys (e.g., Yubikey). To learn more about authentication software, read our buyers guide.
Do not publish staff pages on your company’s website, and refrain from announcing new hires in newsletters or other public forums when possible.
Explain the risks of new-hire phishing scams to new hires, and clearly define which communication platforms will be used for contact during onboarding.
Develop security policies that direct employees to verify suspicious requests using a secondary mode of communication (e.g., verify a suspicious text message request from a colleague by emailing them to confirm that the request is legitimate).
Include SMS threats in security awareness training, and encourage employees to report suspicious text messages by forwarding them to 7726 (i.e., “SPAM”).
To learn more about improving security at your company, read our recent reports: