Twilio smished – SMS is the new Achilles heel

Twilio was recently compromised after a few employees handed over their credentials to an attacker.

Unsuspecting employees were targeted by a Smishing attack in which they received a text message on their phone stating that their passwords had expired and they needed to re-authenticate. A helpful link was provided that took employees to a spoofed page where they entered their credentials.

I would say Smishing is the star for criminals, although the cost of texting may be higher than sending an email, the benefits for a criminal are:

1. No pesky email gateway or other perimeter control to stop delivery

2. No endpoint protection or EDR that will alert the phone user

3. More difficult to verify the source and link of an SMS

4. Many phones are personal devices, so no IT visibility and always accessible, even on vacation

5. People are more likely to multitask while on the phone (doing the dishes, eating lunch, waiting for their Uber, etc.) and therefore not fully concentrating on the task at hand.

All of this collectively means there is a greater likelihood of success.

What can we do about it? A few things come to mind.

Do not use SMS to communicate with employees. Use an internal company channel. Let your staff know that you will never text them to change passwords or other links.

Provide a method for people to report suspicious text messages. If one employee is targeted, chances are others will be too. So, by reporting, security teams can notify staff, block all sites, and monitor suspicious connections. {As a note in the UK, you can report smishing to the NCSC by texting 7726}

Finally, organizations should ensure that all employees receive relevant and timely security awareness and training so that they can identify and report any suspected smishing attacks. Or better yet, simply refuse to communicate outside of company channels.

And let’s not even get into SMS two-step authentication. 😀

*** This is a syndicated blog from the Security Bloggers Network of Javad Malik written by j4vv4d. Read the original post at:

Comments are closed.