It’s 4 p.m. You’re a few days into a new position and still getting oriented. Suddenly, an urgent text arrives. It’s your CEO, requesting Apple gift cards for a marquee client – an unusual, but seemingly legitimate request.
While many smishing (SMS phishing) attacks aim to steal passwords or credit card details, a new breed of social engineering is evolving. These attacks blend Smishing, Spear Phishing, and Business Email Compromise (BEC), creating what we’ll call Spear Smishing BEC. Their hybrid nature and velocity make them uniquely dangerous.
A New Threat to New Beginnings
LinkedIn posts celebrating new hires often provide cybercriminals with a wealth of information to exploit. Unfortunately, these criminals see such visibility as an opportunity. Smishing attacks – phishing scams conducted via SMS – are increasingly targeting new employees with highly personalized messages that appear to come from their company’s leadership. These scams frequently aim to trick victims into purchasing gift cards under false pretenses.
The speed and accuracy with which these attacks are launched suggest a concerning level of automation and intelligence – powered by bots.
Scraper Bots: The First Link in the Cybercrime Chain
Scraper bots harvest publicly available information from platforms like LinkedIn. Posts from new hires frequently include:
- The employee’s name and role;
- The company’s name and leadership team;
- A timestamp indicating when the employee started.
Company pages amplify visibility, making it easier for scraper bots to collect and analyze data. Bots map organizational structures by identifying connections, enabling attackers to impersonate executives with convincing precision.
How Bots Supercharge Scams
Bots have fundamentally changed the landscape of social engineering attacks. By accelerating the collection of data and automating the creation of convincing narratives, bots turn otherwise manual scams into high-speed, large-scale operations. Conventional scams that relied on extensive human effort and time are now executed within hours, targeting thousands simultaneously. This efficiency makes them a force multiplier for cybercriminals.
The Role of GenAI Bots in Smishing Campaigns
Generative AI (GenAI) bots craft personalized messages that mimic human tone and context. For example:
Hi [New Hire’s Name], welcome aboard! This is [CEO’s Name]. I need a quick favor for a client situation. Could you pick up $500 in gift cards? I’ll reimburse you immediately.
The tailored content – including names, roles, and timestamps – makes these messages alarmingly effective. Bots can:
- Generate natural-sounding language
- Adapt tone to match corporate styles
- Deliver messages within hours of scraping data
- Use geo-specific phone numbers for added credibility
Advanced attacks may involve guessing email addresses based on the employee’s scraped full name or prompting the employee to confirm their mobile number, often redirecting the focus back to the ongoing SMS conversation.
Real-World Example: Targeting a New Hire
One of our new hires was recently targeted using this multi-channel approach. It began with a series of text messages from an unknown number, claiming to be our Founder, Sam Crowther. The messages were vague but insistent, asking questions like, “Free at the moment?”
Soon after, the new hire received an email from “Official Text” requesting confirmation of their phone number.
The email lacked professionalism and raised immediate red flags. Despite this, the scammer continued their attempts. Over the next few days, the new hire received several more emails, all allegedly from our Founder, with an increasing sense of urgency, like, “Can I use your help quickly?”
Although the scam wasn’t convincing, it served as a reminder of how persistent these attackers can be, especially when targeting new employees. By sharing screenshots of these texts and emails, we aim to raise awareness and reinforce the importance of reporting suspicious communications.
The Human Cost of Automated Attacks
New employees are particularly vulnerable because they are excited about joining a new company. Remote workers, especially those in field roles such as sales, are particularly desirable targets. They often rely on both internal messaging tools and conventional SMS/MMS for communication, providing cybercriminals with multiple avenues to exploit. They may not yet be familiar with internal protocols or the normal communication style of their leadership team. Cybercriminals exploit this learning curve, leveraging bots to maximize the speed and scale of their attacks.
Mitigating the Risk: What Companies Can Do
- Employee Education: Train employees during onboarding to recognize smishing and phishing attacks. Highlight red flags such as urgent gift card requests or unusual messages from leadership.
- Privacy Settings: Encourage employees to adjust social media privacy settings to limit post visibility to trusted connections. If profiles are public, emphasize the importance of not sharing sensitive or personal information on social media platforms.
- Internal Communication Protocols: Establish clear guidelines for financial requests, specifying approved communication channels.
- Proactive Monitoring: Use advanced tools to detect scraping activity. Anti-scraping measures and bot defenses can limit unauthorized data collection and flag suspicious activity.
- Leadership Alignment: Ensure leadership teams understand these scams and follow communication protocols to prevent confusion.
The Future of Smishing Defense
Unauthorized scraping not only fuels smishing attacks but also raises intellectual property concerns, particularly with the training of GenAI models. Anti-scraping measures mitigate both risks, helping to reduce a company’s overall vulnerability.
Implementing anti-bot solutions, like Kasada, enables real-time detection and blocking of scraper bots, preventing cybercriminals from collecting the data they need for personalized smishing attacks. By cutting off this critical first step in the attack chain, companies can effectively shrink their social engineering attack surface.
Combining advanced technology with robust employee awareness programs further strengthens organizational defenses. Together, we can make it harder for attackers to succeed – one informed employee at a time.