What’s the latest cyberthreat? It is one of the most annoying.
If you have read any of my columns over the years, you are by now well versed in socially engineered phishing and ransomware threats coming via email.
Scammers entering your world via phone pretending to be the IRS or Microsoft.
Or, actual hackers looking for open ports or guessing passwords via the internet.
But what about texting?
Yes, cybercriminals are now using texting to phish your information or embed your mobile device with malware or key tracking software.
Do they have a silly name for it? Check. “Smishing” — officially defined as …
- the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.
Why smishing? Text messaging is defined as SMS communication (short message service) so smishing is an attempt at a witty name combining SMS and phishing? Yawn.
Anyway, it’s a thing and it’s not brand-new (by any means); but, as other cyberthreats are increasingly blocked, they are circling back to this attack; it is becoming rampant.
That’s why I am writing about it now, so maybe you check this column and don’t become a victim.
There is a lot going on, both in our state and world.
Legislative Session, the extremely sad passing of NBA great Kobe Bryant, impeachment, China trade deal, Middle East peace plan, Gasparilla, etc.
Plenty of opportunities for smishers to come up with a good text that might just make someone click or “verify” your credit card info.
Please don’t verify anything via email or text (not Social Security number, birthday, nada).
You should verify anything confidential only via phone (with you calling them) or on that entity’s official website.
So, smishers are still in the “Wild West” phase of social engineering, and it appears they are going for quantity, not quality.
For example, here is a smishing attempt I just received. There are many things wrong with it, so let’s take a look, shall we?
- It starts with “Congrats.” Fake contest scams are very tired. Whiff.
- The area code, that’s California. I have no business or personal dealings in Cali this week. Whiff.
- Who is Susan Chrysler? Whiff.
- Mate? Apparently, we have an Australian hacker on the loose. Whiff.
- And that website address? Really mate? Do you think anyone is going to click on a link that starts with G5ecr …? Double whiff.
OK, you get the idea.
Pay very close attention to this review process, as, in time, the text attacks will look more believable and will actually reference something going on in your professional or personal life. The Smishers are in their rookie season still. But they will figure it out. One example of that is the fake shipping next in this How To Geek article.
Check them out, they look close to legit — minus a couple of huge red flags. One is the link, as in the earlier one I received, it is not a legit www.shipping.com–type web address; it reeks of shadiness.
And the “Hello Mate” salutation again? What’s up with that?
The article also shows you how to block these types of threats; if you don’t know, take a look.
I block them one by one when I get them by clicking on the number and the block caller (texter) feature on the iPhone.
In Miami, the University Credit Union references the DOJ advice to “Stop. Look. And Call.” approach to these types of scams. It’s basically a more formalized approach to what I spoke of earlier; it’s important (even if you know all these things already) to share them with your team.
Do your campaign volunteers know about these threats? Summer interns? Assistant? Anyone can bring digital trouble to an organization quickly, no matter where they fall on the org. chart.
Earlier this month, one of my business partners in Tampa — KnowB4 — put out a very helpful list of the most popular smishing scams we are likely to see in Florida and around the nation.
The most devious is the payroll one.
I mean, seriously … contests? The IRS? Google?
These all look as fake as a bootleg copy of Star Wars for sale on the streets of Bangkok.
But the payroll scam might just get a few people clicking. Update your info — or no salary?
Look for more like these in the future, as smishing threats evolve; be safe out there.
Remember, you didn’t win the contest. So, don’t click, mate.
Blake Dowling is CEO of Aegis Business Technologies. He can be reached at email@example.com.