It’s 4 p.m. You’re a few days into a new position and still getting oriented. Suddenly, an urgent text arrives. It’s your CEO, requesting Apple gift cards for a marquee client – an unusual, but seemingly legitimate request.

While many smishing (SMS phishing) attacks aim to steal passwords or credit card details, a new breed of social engineering is evolving. These attacks blend Smishing, Spear Phishing, and Business Email Compromise (BEC), creating what we’ll call Spear Smishing BEC. Their hybrid nature and velocity make them uniquely dangerous.

A New Threat to New Beginnings

LinkedIn posts celebrating new hires often provide cybercriminals with a wealth of information to exploit. Unfortunately, these criminals see such visibility as an opportunity. Smishing attacks – phishing scams conducted via SMS – are increasingly targeting new employees with highly personalized messages that appear to come from their company’s leadership. These scams frequently aim to trick victims into purchasing gift cards under false pretenses. 

The speed and accuracy with which these attacks are launched suggest a concerning level of automation and intelligence – powered by bots.

Scraper Bots: The First Link in the Cybercrime Chain

Scraper bots harvest publicly available information from platforms like LinkedIn. Posts from new hires frequently include:

  • The employee’s name and role;
  • The company’s name and leadership team;
  • A timestamp indicating when the employee started.

Company pages amplify visibility, making it easier for scraper bots to collect and analyze data. Bots map organizational structures by identifying connections, enabling attackers to impersonate executives with convincing precision.

How Bots Supercharge Scams

Bots have fundamentally changed the landscape of social engineering attacks. By accelerating the collection of data and automating the creation of convincing narratives, bots turn otherwise manual scams into high-speed, large-scale operations. Conventional scams that relied on extensive human effort and time are now executed within hours, targeting thousands simultaneously. This efficiency makes them a force multiplier for cybercriminals.

The Role of GenAI Bots in Smishing Campaigns

Generative AI (GenAI) bots craft personalized messages that mimic human tone and context. For example:

Hi [New Hire’s Name], welcome aboard! This is [CEO’s Name]. I need a quick favor for a client situation. Could you pick up $500 in gift cards? I’ll reimburse you immediately.

The tailored content – including names, roles, and timestamps – makes these messages alarmingly effective. Bots can:

  • Generate natural-sounding language
  • Adapt tone to match corporate styles
  • Deliver messages within hours of scraping data
  • Use geo-specific phone numbers for added credibility

Advanced attacks may involve guessing email addresses based on the employee’s scraped full name or prompting the employee to confirm their mobile number, often redirecting the focus back to the ongoing SMS conversation.

Real-World Example: Targeting a New Hire

One of our new hires was recently targeted using this multi-channel approach. It began with a series of text messages from an unknown number, claiming to be our Founder, Sam Crowther. The messages were vague but insistent, asking questions like, “Free at the moment?”

Text - Free at the moment copyText - Let me know if youre available

Soon after, the new hire received an email from “Official Text” requesting confirmation of their phone number. 

Email from Officialtext

The email lacked professionalism and raised immediate red flags. Despite this, the scammer continued their attempts. Over the next few days, the new hire received several more emails, all allegedly from our Founder, with an increasing sense of urgency, like, “Can I use your help quickly?”

Available

Although the scam wasn’t convincing, it served as a reminder of how persistent these attackers can be, especially when targeting new employees. By sharing screenshots of these texts and emails, we aim to raise awareness and reinforce the importance of reporting suspicious communications.

The Human Cost of Automated Attacks

New employees are particularly vulnerable because they are excited about joining a new company. Remote workers, especially those in field roles such as sales, are particularly desirable targets. They often rely on both internal messaging tools and conventional SMS/MMS for communication, providing cybercriminals with multiple avenues to exploit. They may not yet be familiar with internal protocols or the normal communication style of their leadership team. Cybercriminals exploit this learning curve, leveraging bots to maximize the speed and scale of their attacks.

Mitigating the Risk: What Companies Can Do

  1. Employee Education: Train employees during onboarding to recognize smishing and phishing attacks. Highlight red flags such as urgent gift card requests or unusual messages from leadership.
  2. Privacy Settings: Encourage employees to adjust social media privacy settings to limit post visibility to trusted connections. If profiles are public, emphasize the importance of not sharing sensitive or personal information on social media platforms.
  3. Internal Communication Protocols: Establish clear guidelines for financial requests, specifying approved communication channels.
  4. Proactive Monitoring: Use advanced tools to detect scraping activity. Anti-scraping measures and bot defenses can limit unauthorized data collection and flag suspicious activity.
  5. Leadership Alignment: Ensure leadership teams understand these scams and follow communication protocols to prevent confusion.

The Future of Smishing Defense

Unauthorized scraping not only fuels smishing attacks but also raises intellectual property concerns, particularly with the training of GenAI models. Anti-scraping measures mitigate both risks, helping to reduce a company’s overall vulnerability.

Implementing anti-bot solutions, like Kasada, enables real-time detection and blocking of scraper bots, preventing cybercriminals from collecting the data they need for personalized smishing attacks. By cutting off this critical first step in the attack chain, companies can effectively shrink their social engineering attack surface.

Combining advanced technology with robust employee awareness programs further strengthens organizational defenses. Together, we can make it harder for attackers to succeed – one informed employee at a time.

Want to learn more?

  • Kasada’s Reflections on the Q3 2024 Forrester Wave™ – Bot Management Evaluation

    Kasada named a Strong Performer. Here are some of our own reflections having taken part in this evaluation.

  • Fake CAPTCHA Scams: Ruining Consumer Trust and Driving Website Abandonment

    CAPTCHAs frustrate users, fail to stop sophisticated bots, and now pose a serious malware risk.

Beat the bots without bothering your customers — see how.