Hackers are increasingly using a combination of email and text messages to bypass security measures. Smishing—a phishing-like attack carried out via text message—achieves significantly higher success rates than traditional email phishing campaigns. Thomas Mierschke, Area Vice President for Germany, Austria, and Switzerland at Proofpoint, explains the background and outlines effective protection strategies.
Criminals get smarter. This includes cybercriminals deliberately using a combination of modern communication channels for their attacks. Particularly noticeable is the development in the phishing sector: recently, attackers have been increasingly using this social engineering technique across multiple channels. They particularly favor the combination of email and SMS (so-called smishing).
Cross-Channel Phishing Strategies and Their Backgrounds Phishing attacks are not a new phenomenon, but the methods used by attackers are becoming increasingly sophisticated. While they used to send malicious attachments or suspicious links directly, today’s perpetrators increasingly rely on sophisticated social engineering tactics in which the malware is only deployed later in the communication. A typical example is the initial contact with a victim via email, followed by an attempt to shift the conversation to a less monitored channel such as SMS. The goal of this approach is to bypass established corporate security mechanisms.
The reasons for this strategy are obvious: Emails in companies are usually monitored by powerful security systems. In contrast, text-based channels such as SMS or messengers and collaboration tools are often inadequately protected. In addition, people respond to SMS messages far more frequently than to emails. Studies show that the click-through rate for SMS is between 8.9 and 14.5 percent, while it is only about 2 percent for emails. This high success rate makes smishing an attractive tool for cybercriminals.
Technical Protection Measures Against Modern Phishing Attacks From a technical perspective, companies today have numerous solutions at their disposal to protect themselves against such threats. Modern phishing detection systems use multi-layered analysis methods that go far beyond simply scanning attachments and URLs. AI-based technologies in particular play a decisive role: They analyze not only the technical characteristics of a message, but also its semantic content and context. This allows them to detect, for example, when a sender is trying to shift a conversation from the protected email channel to a less secure platform — even if the original message contains no malicious functions.
Another key element of modern security systems is real-time URL analysis. Since attackers often try to lure victims to fake websites via seemingly harmless links, it is essential to check the reputation and content of such links at the time of the click. Using a combination of reputation databases, machine learning, and behavior-based analyses, many attacks can be prevented in advance.
The Human Factor: Awareness and Training Are Essential As important as technical protection measures are, they are not enough to sustainably minimize risk. Humans remain the weakest link in the security chain, which is why targeted awareness-raising and training of employees are indispensable. Regular awareness training should sharpen awareness of the dangers of phishing in all its forms. In particular, the ability to recognize subtle warning signals should be promoted. For example, any unexpected request to disclose personal data such as phone numbers or to switch to another communication channel should be critically questioned.
Security managers should also establish clear guidelines for handling sensitive information and digital communication channels. Employees must know that internal and external requests that demand a shift in communication should always be verified — ideally by consulting the IT security team or via a second, independent communication channel. They should also be trained to carefully check details such as sender addresses, writing style, and message context to detect irregularities at an early stage.
Holistic Protection for All Communication Channels Finally, it is advisable to consistently extend technical protection to all relevant communication channels. While email gateways and firewalls have long been standard in many companies, messaging platforms, collaboration tools, and mobile devices are often neglected. The existing security concepts need to be developed holistically and supplemented, for example, with Mobile Threat Defense solutions, endpoint protection, and the integration of phishing detection in messenger services.
The dynamics of the current threat landscape clearly show how quickly attackers adapt to new circumstances and exploit weaknesses in corporate communications. Especially as hybrid working models and the use of a wide variety of digital channels continue to increase, a proactive, technology-supported approach that also focuses on people is indispensable. Only those who combine technical innovations with continuous training and clear processes can effectively counter the growing cyber risks posed by email and SMS phishing and protect their organization in the long term.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de