Smishing: “Just when you thought it was safe to get back in the water.”

© James Thew - stock.adobe.com

Cybercriminals are sharks. The irony that I chose a quote from the movie Jaws, during Shark Week, and that lawyers are typically referred to as sharks is not lost on me or others reading this article. By now, the term “phishing” – a form of social engineering or a scam where perpetrators trick individuals into providing information oftentimes in the form of sensitive information and/or payment – should be common vernacular in anyone’s vocabulary. But, what is “smishing”?

Smishing is a form of phishing whereby cyber criminals utilize short message service, or text messages, via mobile phone to elicit information from the individual in order to lure them into divulging sensitive information. In other words, phishing via text messaging instead of via email.

On August 10, 2023, the U.S. Department of Health and Human Services – Office of Information Security (HHS-OIS) and the Health Sector Cybersecurity Coordination Center (HC3) issued Multi-Factor Authentication & Smishing, which highlights key items to consider in relation to security and exploitation. Here are some key take-aways:

1. The difference between authentication (who you are) versus authorization (does the user have permission).
2. Understanding multi-factor authentication (MFA), which by the way many have used for years with their ATM card and PIN number. In essence – a factor that you have and a factor that you know. MFA requires at least two factors of authentication.
3. Although adoption varies, when given an option, consumers enable MFA 61% of the time for healthcare apps and online portals, 60% for online banking, and 70% do not enable MFA when using social media. (emphasis added). The term “catphishing” is often tied to phishing on social media sites.
4. Common types of MFA include: hardware tokens, SMS text-message, software tokens, push notifications, and biometric 2FA. (NOTE: biometrics have their own issues, including the ability of law enforcement to request that phones, tablets or computers be opened on the spot with a biometric factor versus having a password or passcode).
5. “A bad actor can and will look for gaps in authentication processes, such as during and even after hiring, to circumvent identity verification – even utilizing surrogates to help conceal their true identity and nefarious intentions.”
6. Cybercriminal circumvent security controls, including those using biometrics, in various ways. “One such advanced form of a biometric spoofing attack is called a presentation attack. This attack, commonly referred to as spoofs or presentation attacks (Pas), is the process of subverting a biometric system using tools called presentation attack instruments (PAIs).”
7. MFA in cloud computing
   1. Connect MFA with cloud apps and services.
   2. Remote workers require endpoint protection.
   3. With the advent of cloud computing, MFA has become even more necessary.
   4. As companies move their systems to the cloud, they can no longer rely upon a user being physically on the same network as a security factor.
   5. Additional security needs to be put into place to ensure that those accessing the systems are not bad actors.
   6. As users are accessing these systems any time and from any place, MFA can help ensure that they are who they say they are by prompting for additional authentication factors that are more difficult for hackers to imitate or use brute force methods to crack.

MFA and smishing collide in the world of threat actors through the following ways:

• MFA phishing kits pose a significant threat to the HPH sector, because this credential phishing software specifically targets MFA, which is used to protect accounts from unauthorized access.
• According to Proofpoint, there are numerous MFA phishing kits that range from simple open- source kits with human readable code and basic functionality, to sophisticated kits that use built-in modules and numerous layers of obfuscation, which give them the ability to steal MFA tokens, usernames and passwords, as well as credit card and social security numbers.

Dealing with cyber risk management and relatedly cybercriminals is exhausting and can cause compliance fatigue in one’s professional and personal life. There are a variety of aspects to consider. Again, by adhering to the basics like not clicking on suspect links received through text or email, using secure WiFi, and avoiding “juicing” stations (i.e., free charging places that utilize a USB connection at one end) organizations, patients, and consumers alike can significantly decrease the risk of an attack.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.