Cloud communications company Twilio released a statement outlining an attack against their employees via SMS phishing, where the attackers pretended to be Twilio’s IT department. The attackers asked employees to click on a link via a text message, warning them that their password had expired. Employees believed they were resetting their password when they followed the link, but it allowed the threat actor to steal passwords instead. The attacker then used the stolen credentials to access a small amount of customer data. The compromised accounts have been suspended and customers have been notified.
Analyst Notes
Proper security training is paramount to teach employees how to spot targeted phishing attempts. IT and security departments within organizations should outline to employees how legitimate communications will be conducted. Most organizations will not use text messages for communication. If a text is received that is believed to be fraudulent, it is always a best practice to follow up via email or phone call with the intended party to verify.
https://www.bleepingcomputer.com/news/security/twilio-discloses-data-breach-after-sms-phishing-attack-on-employees/
