If you’re anything like me, you used delivery more during the pandemic than before. Both getting food brought to my door and meal kit boxes mean people don’t have to mask up and go out to the grocery store. But threat actors know that, too. Recent scams take advantage of people signing up for more services, disguising their data theft as company giveaways or delivery alerts. Phishing and its SMS cousin, smishing, continue to be popular ways of gaining access to digital systems, including business email. See how smishing is changing the game in the world of food and delivery. 

What Is Smishing? 

While phishing attacks try to get you to share passwords or other personal information over email, smishing does the same by text message. For example, an attacker might send a text promising something in exchange for completing a form on a website. If the victim follows through, the attacker can collect information and possibly infect the device.

Watch Out for New and Convincing SMS Scams

Text-based scams are evolving. Where they might once have been marked by poor English or odd formatting, some attackers have learned to disguise themselves. Common text message scam tactics appeal to victims who might be expecting a shipment or may have recently completed a purchase online. The scams might propose a reward for responding or pose as an alert to some serious issue with an online account. Meal kit and grocery scams often fall under these types of attacks.

Attackers know these services are popular. Subscription services of all kinds have seen a steady increase over the last year. Entertainment and food delivery services are particularly popular. As consumer buying habits shifted, so too have takeout food choices. Meal kit subscription services, including both subscription services and grocery store-based meal solutions, saw a steady uptick in demand.

For example, one scam asked cybersecurity consultant Joseph Steinberg to leave a review for a service he didn’t use. This is just one of many variations of the review-for-a-reward smishing scam. Cybersecurity training can help users avoid such scams and protect personal data, too.

How to Stop Smishing for Employers 

Spam filters can catch some of these malicious messages, but not all. In addition to a layered approach to security, organizations should also provide their employees ongoing cybersecurity awareness training. A regular feature of such a program could include simulations that cover scenarios similar to those seen in the wild.

To be effective, cybersecurity training for employees should be engaging and relevant. It’s not a good idea to overwhelm people with every possible attack type and its gory details. However, an ongoing training program can provide useful information on novel and unique attack types. These might be relevant to employees outside of work, too. Employers can also use breach and attack simulations to help users better understand how these campaigns work.

Training like this should cover the topic of risk assessment often. Users should be taught to tell the difference between real and scam messages no matter how convincing or where they’re sent. In the case of smishing, it’s also important for users to know what to expect from the systems they use. 

Security Awareness Training and Beyond

Training users on how their work devices are supposed to function can help them be safer with connected devices at home, too. Internal systems can provide examples of just-in-time communications that provide context to interactions. And, users who know what to expect from oft-used systems may be more likely to spot odd behavior. As an employer, you can explain how the system will contact its users in new user onboarding procedures and welcome emails. If someone gets a delivery alert by text and you’ve already told them you only send alerts by email, they might be less likely to click. That will help regardless of how well-written the attacker’s text is. 

SMS scams are more than a simple annoyance for the average person; they present a very real security risk for company systems, too. Websites used in these scams can contain malware designed to exploit victim machines, which may be accessing them from corporate networks. SMS-based scams and malware campaigns range widely in terms of the intended outcome, but social engineering is always a key component. Relevant and interesting security training can help stop smishing-related dangers from making their way into your important systems.

More from Mobile Security

Juice jacking: Is it a real issue or media hype?

4 min read - You get off a flight and realize your phone is almost out of battery, which will make getting an Uber at your destination a bit challenging. Then you see it — a public charging station at the next gate like a pot of gold at the end of the rainbow. As you run rom-com style to the USB port, you may briefly wonder if it’s actually safe from a cybersecurity perspective to plug in your phone. The answer is technically…

Third-party app stores could be a red flag for iOS security

4 min read - Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

A view into Web(View) attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today