With smarter firewalls and spam filters, much of the malicious traffic targeting your email box can be identified and removed from user’s inboxes (Note: your email is probably not scotch free of phishing scams. You still need to be diligent about identifying scams and skeptical to give out personal or valuable information through email).

sms-phishing-scam

In a response to penetration to users with traditional phishing scams, criminals are resorting to phishing people on their smart phones.

Coined ‘Smishing’—SMS phishing—these attacks are much easier to penetrate and are hard to avoid.

While the practice of smishing has been around for a couple of years, these scams are coming back with a vengeance. Text messages with links to mystery shopping invitations is just one of the many ways scammers are exploiting people on their phones into sending emails directly to them. Often times, roping victims into a shopping fraud, identity theft, bank account take-overs. Smishing has even been used to pressure employees into divulging sensitive, personal or confidential corporate information to criminals.

Many cybersecurity experts agree that smart phones are one of the most successful ways they can penetrate your network or sensitive information. Either by manipulating or convincing users through texting or by using smart phones as vectors for spread of a virus, smart phones are currently one of the most attractive targets of criminals.

Why is smishing becoming popular?

Smishing is so attractive to many budding scammers because it is so low cost. All someone needs to successfully steal your bank account or personal information is a VOIP (Voice Over IP) server, a burner cell phone and a method to spoof their phone number in order to send a targeted text message (there are actually a variety of inexpensive apps that easily spoof a phone number).

And phones are everywhere! There are more than 6 billion smart phones world-wide, making the pool of targets relatively large to make some big returns on a small investment.

Where have we commonly seen smishing?

Since more folks are banking through smart phones, a large portion of smishing attacks have been targeting financial institutions. Many users don’t think twice when reacting to a text from their bank. Attackers use legitimate-sounding wording, incorporate branding and will spoof phone numbers that your bank may use to deceive you into clicking on their text.

Just for example, here is a smishing text from a national bank:

example-of-smishing

This SMS message informed recipients of a problem with their bank account, prompting them to call the number. When users called the number, they were prompted for personal information, many of which handed over credit card information, addresses, Social Security Numbers and other valuable information—either to sell on the Dark Web or to exploit your personal bank accounts.

While many of these smishing attacks seem random, they are in fact very targeted. Cybercrime research has revealed that most smishing attacks are geo-targeted by area code in effort of credibly exploiting victims.

Where are these attacks coming from?

Just like other cybercrime, smishing attacks have been sourced all over the world. Earlier this year, a large smishing attack was identified coming from the Czech Republic, which persuaded users to provide private banking and credit card details or by infecting a phone after a user clicked on a link. But these attacks can virtually come from anywhere, including in our backyard.

What can you do so that you’re ready for a smishing scam?

Think before you tap—I know it’s tempting to tap first and react later, but you have to control the urge. If you don’t recognize or aren’t expecting a text, don’t automatically click on a texted link. Because more and more texts are being used for identity theft and bank account takeovers, be cautious to simply clicking links from your phone.
Verify information before divulging it—while technology seemingly should make life easier, sometimes it pays to step back and double check information, especially when it comes to possibly divulging sensitive information. If you receive an unexpected text from your bank, contact your local branch or the published number online to verify that they are actually contacting you with a legitimate request. It never hurts to be a more careful!

Stay in the know—keep up on the latest red flags with cybersecurity and phishing. Make sure your IT Support provides you with training and resources for your team to avoid being scammed (or simply follow our page).
Make sure you are protecting your personal information—stay on top of ensuring your and your family’s personal data is secure. Most common places for data breaches are at the work place and at businesses that you frequently visit (including your doctor’s office!). Make sure that your work’s IT Support team is going out of its way to protect your information and that businesses you do business with are complying to security standards.

If you have any questions or concerns about your security online, feel free to give us a call!