Twilio, a San Francisco-based digital communications company, has confirmed that hackers tricked members of its staff into sharing their login credentials. The attackers sent SMS messages to employees saying a change had been made to their work schedules and asking them to reset their passwords. The official-looking text messages included references to “Twilio,” “SSO (single sign-on),” and Okta, the name of Twilio’s user authentication service. The link included in the SMS messages mimicked a Twilio sign-on page where attackers collected the information input by employees.
While the Twilio customer support team has reached out to impacted organizations, Fortalice is advising our clients to reach out directly to the company to verify if your organization’s information has been compromised.
In the days following the disclosure by Twilio, Cloudflare revealed the content delivery network company had been targeted in a similar manner. In Cloudfare’s case, however, the company’s use of hardware-based multi-factor authentication (MFA) keys prevented attackers from accessing its internal network.
The Twilio and Cloudfare incidents are examples of smishing attacks, which are social engineering attacks performed via SMS or text messages. The text messages will contain links to webpages, email addresses, phone numbers, or other links designed to lure potential victims into clicking on the link. The Twilio breach included SMS messages with employee scheduling information to increase the likelihood the employee would click the link.
The strategies below, provided by the Cybersecurity and Infrastructure Security Agency (CISA), outline strategies to protect yourself and your organization from smishing attacks:
We value you as customers, and we understand incidents like these can be very unsettling. We are here to help. Fortalice is committed to providing you with the tools and confidence to fortify your interests, protect your organization, and maintain a strategic advantage over adversaries. If you have any questions or assistance in implementing necessary threat mitigation steps for your organization, please do not hesitate to reach out to us.
Fortalice Solutions is proud to announce it has signed on as Champion for Cybersecurity Awareness Month 2022. At Fortalice Solutions, we believe preparation is the best strategy to protect organizations from cyber threats and crime. We transform a reactive security model into a proactive, results-based model of protection. Fortalice Solutions, led by the first woman to serve as White House Chief Information Officer, Theresa Payton, is comprised of passionate practitioners who provide organizations with clarity of priority, approach, and security design.