By Rose Ryan

With the pervasiveness of smishing that targets consumers’ personal devices, more organizations have made the leap to consider imposing smishing simulations on their employees’ mobile devices out of fear of a corporate breach, and for compliance reasons. Yet this tactic is fraught with risk itself, and can open an organization to legal liability and regulatory fines – not to mention what damage it can do to employee morale.

The Perils of BYOD and Hidden Costs

Smishing is the practice of sending a phishing message via SMS text to recipients’ mobile phones, typically containing a link to credential harvesting sites. An example is shown in Figure 1. Vendors offering SMS simulators require the customer to bear the burden of the inherent liability in this practice, though it tends to be hidden deep in the terms and conditions of existing contracts. Regulated industries may have a second corporate phone and number to issue to users but, with the ubiquity of BYOD (bring your own device), that is a niche experience.

Figure 1: Smishing message

With no standard reporting system for text messages, BYOD employees may report fraudulent messages to the FCC or other policing bodies. This puts text-sending service providers at a disadvantage as they will regularly be required to remove offending phone numbers and accounts. As a result, the overhead associated with managing such a program is very high and those costs are normally passed to the customer.

Regulatory Considerations – It’s Not as Easy as Your Vendor Wants You to Think

The FCC has determined sending texts is the equivalent of “making a call” and thus subject to fines and penalties under the Telephone Consumer Protection Act (TCPA) in the United States.[1] Employees not trained to escalate internally may report to the authorities, requiring the organization to explain the purpose of their texting exercise.

Consider the risk of sending an SMS to the wrong phone number. Organizations will often retire a phone number in their system, but that same phone number may be picked up by a different person at another company or by a private citizen. It’s unlike an email domain where someone may have left the organization, or the email was entered incorrectly – the address remains safely associated with the correct domain. Phone numbers are more complex to manage.[2]

The Liability is All Yours

Customers assume the liability if a vendor’s SMS is inadvertently sent to the wrong number. Phone numbers are easily mistyped, and a single digit can mean that a non-employee gets what appears to be a smishing attack. This is especially risky in European countries where the recipient actually pays to receive an SMS. Covering that liability is a cumbersome process. With a majority of vendors using a downstream service for handling SMS delivery, customers are exposed to regulatory challenges such as GDPR compliance.

The GDPR, enacted in May 2018,[3] applies to any country that wants to do business with the European Union or use EU citizens’ personal data. So even if your organization isn’t headquartered in the EU, you are subject to its requirements if you may be smishing an employee in that region, or if you inadvertently smish a non-employee.

The UK has supporting regulations that work in conjunction with the GDPR. They are the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act.[4] The UK’s Data Protection Act regulates how businesses can store and use consumers’ personal information. Under this act, personal info must be used “fairly, lawfully and transparently.” Businesses can only use data when relevant and appropriate – and cannot store the data longer than necessary. Similar to GDPR principles, customers have the right to know how their data is being used, or have data updated or erased. Organizations must have a plan in place to fulfill all of these requirements and potential requests while also being aware of text message caps and ceilings under this act.

Smishing Simulators – Is There a Better Way?

Before you undertake a smishing simulation program, you should assess whether you have a “legitimate business interest”[5] for processing employees’ personal information (i.e., their phone numbers). The GDPR and the Data Protection Act in the UK require that organizations provide a legitimate interest before processing employee information. Questions to consider are:

  • Is there an alternative to this activity that can achieve the same goal?
  • What is the business benefit to the organization, and is it legitimate and necessary?
  • Is the business interest appropriately balanced with the individual privacy rights?

Is Harassing Your Employees Part of the Plan?

Another consideration is how implementing a smishing simulator will affect your employees’ morale. The smishing activity must be confined to working hours, which can cause scheduling problems for worldwide companies across different time zones. When an employee sits at their desktop or laptop, they have an implicit understanding that they are in their corporate domain. Therefore, a phishing simulation is commonplace and accepted. However, receiving a smish from an organization on a personal device is a far more intrusive experience, akin to sending someone to an employee’s home. This can easily alienate employees, especially if they receive a smish off the clock or during their vacation time. This can be a challenge for organizations to schedule and manage. There is also the consideration that the IT Help Desk will be overloaded with incoming calls and emails when sending suspicious SMS.

There is A Better Way

Organizations considering smishing simulator vendors must tread carefully, review all terms and conditions, and determine whether the risk outweighs the reward.

Cofense takes our customers’ security, as well as any potential exposure to legal and regulatory liability, very seriously. We enable our customers to develop employee resilience to all potential threats in a positive way that engenders employee trust and confidence. To that end, we’ve updated our LMS platform. The Cofense smishing simulator is now available. The interactive smishing simulator includes education and reporting via the platform.

Empower your users with immediate feedback and education options to boost resilience to smishing. If you’re an existing PhishMe customer with your own LMS, contact out Technical Operations Center to deploy immediately. Cofense LMS customers will see the smishing simulator in their next release. Learn more about Cofense LMS here.

The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
i https://www.pe.com/2019/02/15/why-sending-text-messages-to-customers-employees-can-lead-to-stiff-legal-penalties/
ii https://help.klaviyo.com/hc/en-us/articles/360035055312-About-US-SMS-Compliance-Laws
iii https://gdpr-info.eu/
iv https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/
v https://www.itgovernance.eu/blog/en/the-gdpr-legitimate-interest-what-is-it-and-when-does-it-apply#:~:text=What%20is%20a%20legitimate%20interest,the%20data%20subject%20would%20expect.&text=The%20data%20subject%20should%20reasonably,be%20used%20in%20that%20way.