Behind the Hack: How “Smishing” hooked a major SaaS company

In the fall of 2022, the SaaS customer support company Zendesk suffered a data breach after cybercriminals were able to gain access to company data by fooling some employees into handing over their work account names and passwords. These attackers sent demands for account credentials to employees via text message, and some people believed the requests were legitimate and complied. This gave the attackers direct access to “unstructured data from a logging platform from September 25, 2022 to October 26, 2022,” per an email from Zendesk.  
This is an example of Smishing, or SMS phishing conducted via text message. And it’s part of the Phishing attack umbrella plaguing your employees in and out of the office. 
 

Phishing on the Rise

According to the FBI, there are more victims of phishing than any other type of cybercrime, and a recent study found that phishing attacks increased by 61 percent between May 2021 and April 2022. The reliance on phishing is a conspicuous reminder that social engineering remains the tactic of choice for many cybercriminals. It’s no surprise that human behavior is involved in 82 percent of breaches – as the 2022 Verizon Data Breach Investigations Report explains: “Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.” 
 
The evidence is overwhelming that employee mistakes are to blame for the majority of successful cyberattacks, which demonstrates that there’s a severe lack of cybersecurity awareness at many companies. However, there’s also a clear solution to this problem: cybersecurity awareness training (CSAT), which can educate employees about tactics like phishing, critical attack vectors, and the actions they can take to identify potential attacks and keep the company safe.  
 

Fight Phish with Cybersecurity Awareness Training

Any effective CSAT program has to focus on tactics like phishing, which are always evolving to exploit new technologies and vulnerabilities. This is why NINJIO episodes often return to phishing, including our recent release: “It’s Not Just About the Money”. This episode covers vishing, in which cybercriminals call victims or leave voice messages convincing them to provide sensitive data (such as credit card numbers and bank account information) or download malware. Vishing can provide direct access to a victim’s secure accounts and deploy malware such as SMS Spy, which allows hackers to see incoming messages – including temporary passwords provided by banks and employers.  
 
Although multi-factor authentication (MFA) is a powerful tool for preventing cyberattacks, employee error can give hackers a way around it. When Uber was hacked last year, the attackers used a strategy called authentication fatigue: after acquiring login credentials on the dark web, the attack inundated an Uber contractor with login requests until one was finally accepted. Refusing to accept a suspicious login request that an employee didn’t initiate – especially when a relentless series of those requests had been sent – would be cybersecurity 101 for a trained employee. The contractor should have immediately contacted the security team at Uber when the fraudulent login requests started pouring in. Establishing clear lines of communication for incident reporting and encouraging employees to use them is a central element of cybersecurity.  
 

Phishing Takes Many Forms

There were multiple forms of phishing executed in the Uber hack – from the original theft of the credentials and sale on the dark web to the authentication scam. NINJIO episodes cover a wide range of phishing attacks, including: 
 

Smishing, in which attackers try to fool people through communications sent via text message (SMS).  

Catphishing, in which cybercriminals manipulate victims using fake identities and ask for money or personal information.  

Spear phishing, in which the attacker impersonates a trusted contact to convince a victim to share sensitive information.  

QR code phishing, in which a hacker replaces legitimate QR codes in restaurants, stores, and other public places with malicious codes that link victims to fraudulent websites or download malware.  

 
Phishing will continue to be one of the most pressing cyberthreats companies face, and the resistance to it is entirely dependent upon developing an educated workforce. Employees have to be capable of identifying red flags like a sense of urgency from interlocutors, surprise login requests, and strange demands for sensitive information in emails, phone calls, and text messages. Cybersecurity awareness will be all the more important with the expanding use of digital communication and collaboration tools – a PwC report found that 38 percent of executives anticipate more serious attacks via the cloud in 2023.  
 
The same report recommends that companies “train employees on proper access and incident response roles” and “support security awareness training throughout the organization.” NINJIO’s CSAT platform is designed to provide employees with the most up-to-date information on cyberthreats like phishing, as well as personalized instruction based on their individual strengths, weaknesses, and unique behavioral tendencies. Company leaders can’t afford to sit still and hope they won’t be targeted by a phishing attack. They need to be proactive about keeping the organization safe, and this starts with building an educated workforce.  

We Can Help