There’s Something “Phishy” about Certain Text Messages

For the sake of your clients, I hope you, and every other person who works at your firm, know full well what phishing attacks are and at least the basics of how these email attacks can be thwarted. If not, it’s way past time for everyone to come up to speed, and I strongly encourage you to do so posthaste! Here’s why. Phishing attacks also occur in the text messaging space. This type of scam is called smishing. Think SMS phishing. Just as with email, cyber criminals are applying social engineering tactics to text messaging and it’s a serious threat.

Smishing is particularly problematic because people are more inclined to trust a text message than an email and are less aware of the security risks surrounding text messages. Basically, what happens is cyber criminals obtain phone numbers that have been exposed as a result of a data breach, or they use web crawlers to gather numbers from social media sites, or they may even just use a random number generator. Then they start sending out text messages trying to trick recipients into clicking on a link or calling a number all done in the furtherance of identity theft, to capture login credentials, or to have the recipient unwittingly download a malicious app. Making matters worse, the number the text message appears to originate from can be a spoofed phone number, meaning it appears to be coming from a reputable source when it actually isn’t.

Here are a few tips that can help prevent you and everyone else at your firm from falling prey to a smishing attack.

1) Remember smart phones are computers. They need to be protected with a security app just like all your other computers. If you don’t already have a security app running on your smart phone, get one now.

2) Don’t trust text messages that attempt to get you to reveal sensitive information, especially if the text contains a portion of your credit card or bank account number. This kind of information can be obtained as a result of data breaches and is sometimes used to try to convince recipients that the text is legitimate when it actually isn’t.

3) Always log in to any online accounts through your phone’s browser or through a company’s mobile app that has been previously installed. Never click on an unexpected link in a text to start the login process.

4) If the text appears to be coming from a reputable company, but still seems suspicious, call the company’s customer service number after looking it up on the official company website. If they confirm that it’s not from them, just delete the text.

5) Treat text messages with the same level of suspicion that should be in play with email, particularly ones that try to play with your emotions. In other words, stop and think before you click on any links or provide any information. If you let your emotions get the best of you, you risk enabling the download of a malicious app or you’ve just turned over sensitive information to someone who definitely doesn’t have your best interests at heart.

6)Don’t reply to suspicious texts even if the text itself says “text stop” to stop receiving messages. If nothing else, replies confirm that the phone number is an active number and more smishing attempts will surely follow.

7) Always be on the lookout for similar tactics in platforms like What’s App, Facebook Messenger Instagram, and the like.

8) And finally, use a VPN. VPNs can help spoof your actual location which may make it easier to spot a few text scams that rely on their appearing to be from a local number. In addition, by encrypting your data stream, even if your phone is, or eventually becomes, infected with a malicious app, the scammer may be unable to obtain anything of value because the data is encrypted.