What is smishing?
Smishing is a type of cyber attack that uses SMS (Short Message Service) to scam victims and steal their personal, sensitive, or financial information. The term smishing is a combination of SMS and phishing (an online fraud technique where criminals try to trick people into giving up confidential data, like passwords or credit card numbers).
In which countries is it allowed
In several countries, telecommunications regulatory authorities impose limitations or special procedural controls for mass SMS sending to reduce the risk of smishing. These procedures, however, effectively make it impossible to use the "Smishing Functionality" of Cyber Guru Phishing. As of now, Cyber Guru's Smishing is available in Italy, Spain, France, Germany, and the United Kingdom.
How many SMS can be sent?
Within the CGP subscription, a maximum number of SMS can be sent annually, equal to 4 times the total number of CGP users, at no additional cost.
For example, for every 1000 licenses, a maximum of 4000 SMS can be sent per year (which can be directed to all CGP users or just a subset of them).
NOTE: Before proceeding with activation, it's important to review the article dedicated to whitelisting for messages (SMS).
How to activate a smishing campaign
To enable a smishing campaign, follow these steps:
-
Access the "Company Management" section in the system.
-
Go to Setup Phishing and enable the SMS templates.
This way, the system will also include SMS templates in the proposed campaigns.
To ensure users receive the SMS correctly, it's crucial that the "Phone" field is correctly populated with each user's BUSINESS phone number. The number must be entered including the full international prefix, followed by the user's phone number.
For example, for Italy, the number should be entered in the format 0039 followed by the phone number.
WARNING: If performing a mass import, it's important to ensure that the user's phone number in the CSV file is NOT saved in "number" format, but as "text". Otherwise, leading zeros would be removed.
SMS templates are recognizable and can be viewed in the "Training Material Template" section, by selecting the type "SMS Templates Only".
SMS templates behave similarly to email templates, with the ability to test their functionality, modify their content, and customize the associated landing page. This allows for optimizing the user experience and ensuring that messages are consistent with the campaign.
The user will receive the SMS and by clicking the link within the message, they will land on the landing page and the click will be recorded.
"Phone" Field
SMS templates are sent only to users who have a valid phone number associated with their profile.
If a user does not have a phone number (if the "phone" field is empty), SMS templates are not considered during template assignment. In other words, the user will not receive the SMS message, and the campaign will focus on the email channel.
If the "phone" field contains an incorrect or partial number (for example, an incomplete number or in the wrong format), the user will still be associated with the SMS template.
Interaction Recording and Data Visibility
In the case of smishing, the only event that can be recorded within the Cyber Guru platform is the click event.
Data related to smishing campaigns can be regularly viewed within the Phishing section, along with those of traditional phishing campaigns.
However, in the campaign data export, under the "Template Type" entry, templates used for smishing will be identified as SMS instead of Email.