Our SMS Phishing Assessment helps you determine the effectiveness and efficiency of your human control and technology used to manage SMS phishing attacks.
SMS Phishing Assessment
Defending Against SMS Phishing
Phishing attacks have increased in both sophistication and frequency over the past several years. They are commonly included in dedicated attacks, and regular components in serious attacks like ransomware, and advanced persistent threats.
Phishing attacks come in many forms, including email, social media, phone calls, text messages, and even physical mail. Users often feel SMS messages are more personal, and can be more likely to trust their contents. SMS phishing includes social engineering techniques to trick their targets into providing sensitive information or performing an action, such as clicking on a malicious link, often disguised as a shortened URL. SMS phishing attacks commonly focus on login credentials by prompting the user to logon to an online account and providing their login credentials or account verification details. While the attacks use your phone as the vehicle of the attack, they still target the user, and can potentially lead to compromise of any information to which that user has direct access, or more after subsequent compromises.
Your security program is not complete unless it includes active components specifically designed to combat SMS phishing attacks. This includes user training to ensure they understand how such attacks work, as well as technology controls designed to help reduce the chances these attacks even reach the end users.
Our SMS phishing assessments help provide full-coverage security for clients. Offered by themselves, or in concert with complimentary services, it helps you understand how well you are doing at enabling your employees to support the most secure operations they are able. Not only does a social engineering assessment includes an engagement-specific report, but our security professionals also update the Darwin Attack® portal with key findings. This means you don’t need to wait for the report to start remediation. You can start fixes immediately, making the best use of the information in our collaboration portal.
Our SMS phishing assessment solutions
Evolve Security’s SMS phishing assessments include a variety of approaches designed to test your staff readiness as well as supporting technical controls. This includes a process similar to most security assessment services:
- Define the scope: Scoping the test to ensure we have well-defined testing goals and rules of engagement. Agree on the targeted staff, departments or other organizational groupings. Agree on specific goal systems, applications, and information. Define approved testing window. Define escalation process and rules if test is clearly identified by your organization.
- Complete reconnaissance: Research the public face of your organization (including social media) to determine potentially interesting details and targets, including targeted systems or applications, as well as both general and specific users. Identify staff with influence, special projects, and organizational jargon.
- Assessment: Send phishing messages with appropriate support, which may include phone follow-up. Measure test results, including replies or “click-throughs”, as well as reported fails. Repeat attempts and expand test per rules of engagement. Include results of initial testing in follow up emails to maximize test efficiency and effectiveness.
- Report: Prepare full report on the engagement process and all results.
An effective SMS phishing assessment can include waves of messages, targeting both new and repeat employees, using information learned from earlier waves to improve targeting and context. We target a wide variety of information, to improve the chances of success. Part of an SMS phishing assessment challenges your implemented technology – do you have an effective mobile device management solution in place, how well are users blocking malicious links or attachments, or is URL filtering in place. Some results are immediately obvious, but it can be difficult to appreciate the impact of negative results targeting your employees. As a result, Evolve Security is committed to ensuring that the results and impacts are as clear and concise as possible through a social engineering briefing, that discusses the results with your appropriate staff – not a one-way briefing, but a conversation about the results to ensure we both understand the impact.
Modernize your SMS phishing approach
Many penetration test companies do not offer full social engineering assessment services. Penetration test vendors are more focused on the automated technical testing. Those who do perform social engineering often rely on tools and limit the customized portions of the testing, making such tests more “cookie cutter.”
Evolve Security is dedicated to making our SMS phishing engagements focused on your specific concerns and your staff and environment. Our social engineering assessments are highly customized to you, and focus on the specific users, systems, and applications important to your business operations. The goal of our SMS phishing testing is to enable you to improve your operational security, improving your control over your operations, and thus increasing both security and reliability.
During SMS phishing engagements, our security professionals enter findings, such as identified issues and potentially exploitable findings (like passwords, or other sensitive details), directly into our Darwin Attack® portal. We update the portal in a near-real-time basis, not at the end of the test. Providing you access to the same portal used by our testers and security professionals helps maximize the efficiency and effectiveness of your entire testing, remediation, and management process. You get to being remediation, including testing and internal communications earlier, speeding up your remediation process.
Our SMS phishing assessments continue to evolve
Like all components of social engineering, an SMS phishing assessment tends to be a highly customized offering, highly dependent on the specific organization. Tools and automation play a significant part in testing, and Evolve Security constantly updates tools sets to help ensure that we are using the best tools available for the given engagement. Our team of security professionals constantly monitors developments in social engineering and email phishing standards, and update processes and standards as appropriate. We also hold regular project review sessions and update our internal standards to help ensure we are assessing to at least standards of good business practice, based on the practices of current clients. Every engagement includes review of our own benchmarks to help ensure that we are assessing to the most appropriate set of controls.
Get Your Darwin Attack Demo Today
Start Pentesting in 2 Weeks