By: James Hickey, Senior Product Marketing Manager
With the pervasiveness of SMS-based phishing, often referred to as “smishing,” to target consumers’ personal devices, more organizations are considering deploying smishing simulations on employees’ mobile phones. These efforts stem from concerns over potential corporate breaches and compliance requirements. However, this approach is fraught with its own risks and can open organizations to legal liability and regulatory fines – not to mention the damage it can do to employee morale.
The Perils of BYOD and Hidden Costs
Smishing is the practice of sending a phishing message via SMS text to recipients’ mobile phones, typically containing a link to credential harvesting sites. An example is shown in Figure 1. Vendors offering SMS simulators require the customer to bear the burden of the inherent liability in this practice, though it tends to be hidden deep in the terms and conditions of existing contracts. Regulated industries may have a second corporate phone and number to issue to users but, with the ubiquity of BYOD (bring your own device), that is a niche experience.
Figure 1: Smishing message
With many cell phone providers now offering a "Report Junk" feature in their SMS interfaces, or a specific number for users to forward suspected scam messages, reporting fraudulent texts has become very straightforward. As a result, BYOD employees may report fraudulent messages to the FCC or other policing bodies. This puts text-sending service providers at a disadvantage, as they will regularly be required to remove offending phone numbers and accounts. As a result, the overhead associated with managing such a program is very high and those costs are normally passed to the customer.
Regulatory Considerations – It’s Not as Easy as Your Vendor Wants You to Think
The FCC has determined text messaging to be the equivalent of “making a call” and thus subject to fines and penalties under the Telephone Consumer Protection Act (TCPA) in the United States.[1] Employees not trained to escalate internally may report to the authorities, requiring the organization to explain the purpose of their texting exercise. Even if the company owns the device and SIM card, using deceptive SMS content or impersonating someone can fall into a legal gray area.
There’s also the risk of sending an SMS to the wrong phone number. Organizations often retire phone numbers in their system, but that same phone number may be picked up by a different person at another company or by a private citizen. Unlike an email address, which remains tied to a specific domain even if the recipient leaves the organization or it is entered incorrectly, phone numbers are more complex to manage and ensure accuracy.[2]
The Liability is All Yours
Customers assume liability if a vendor’s SMS is inadvertently sent to the wrong number. Phone numbers are easily mistyped, and a single digit can mean that a non-employee gets what appears to be a smishing attack. Covering that liability is a cumbersome process. With a majority of vendors using a downstream service for handling SMS delivery, customers are exposed to regulatory challenges such as EU General Data Protection Regulation (GDPR) compliance.
The GDPR, enacted in May 2018,[3] applies to any country that wants to do business with the European Union or use EU citizens’ personal data. So even if your organization isn’t headquartered in the EU, you are subject to its requirements if you intend to smish an employee in that region, or if you inadvertently smish a non-employee.
The UK has supporting regulations that work in conjunction with the GDPR. They are the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act.[4] The UK’s Data Protection Act regulates how businesses can store and use consumers’ personal information. Under this act, personal info must be used “fairly, lawfully and transparently.” Businesses can only use data when relevant and appropriate – and cannot store the data longer than necessary. Similar to GDPR principles, customers have the right to know how their data is being used or have data updated or erased.
Organizations must have a plan in place to fulfill all of these requirements and potential requests while also being aware of text message caps and ceilings under this act.
Smishing Simulators – Is There a Better Way?
Before you undertake a smishing simulation program, you should assess whether you have a “legitimate business interest”[5] for processing employees’ personal information (i.e., their phone numbers). The GDPR and the Data Protection Act in the UK require that organizations provide a legitimate interest before processing employee information. Questions to consider are:
- Is there an alternative to this activity that can achieve the same goal?
- What is the business benefit to the organization, and is it legitimate and necessary?
- Is the business interest appropriately balanced with the individual’s privacy rights?
Is Harassing Your Employees Part of the Plan?
Another thing to consider is how implementing a smishing simulator will affect your employees’ morale. The smishing activity must be confined to working hours, which can cause scheduling problems for worldwide companies across different time zones. When an employee sits at their desktop or laptop, they have an implicit understanding that they are in their corporate domain. Therefore, phishing simulations are commonplace and accepted. However, receiving a smish from an organization on a personal device is a far more intrusive experience, akin to sending someone to an employee’s home. This can easily alienate employees, especially if they receive a smish off the clock or during their vacation time. This can be a challenge for organizations to schedule and manage. There is also the possibility that the IT Help Desk will be overloaded with incoming calls and emails when sending suspicious SMS.
A Better Way Exists
Organizations considering smishing simulator vendors must tread carefully, review all terms and
conditions, and determine whether the risk outweighs the reward. At Cofense, we take our customers’ security, as well as any potential exposure to legal and regulatory liability, very seriously. We enable our customers to develop employee resilience to all potential threats in a positive way that engenders employee trust and confidence. To achieve this, we’ve made updates to our LMS platform. A smishing simulator as well as a WhatsApp simulator are both now available through PhishMe Security Awareness Training. The interactive simulators include education and reporting via the platform. Empower your users with immediate feedback and education options to boost resilience to smishing. If you’re an existing PhishMe customer with your own LMS, contact our Technical Operations Center to deploy immediately. Cofense LMS customers will see the smishing simulator in their next release.
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
ii https://help.klaviyo.com/hc/en-us/articles/360035055312-About-US-SMS-Compliance-Laws
v https://www.itgovernance.eu/blog/en/the-gdpr-legitimate-interest-what-is-it-and-when-does-it-apply