Text Message Scams (Smishing)
As digital communication has evolved, so has the sophistication of hackers and scammers. In addition to phony phone calls and email phishing scams, text scams (smishing) has become a rapidly growing concern with the proliferation of smartphones and the emergence of text messages as a part of everyday communication.
SMS phishing (smishing) is the fraudulent solicitation of your personal information through the use of phone number/text messaging service. Although far less common than other kinds of digital dupes, smishing can be effective due to the personal nature of our text message inbox. After all, texts are typically reserved for close friends, family, and businesses who we have consented to connect with.
Targeted SMS Attacks/CEO Fraud (aka Spear Smishing)
Spear phishing is a targeted attack on a specific person or group of people within an organization typically done through email. Spear Smishing is the same type of attack but performed using cellphone SMS/Texting. In these cases, a perpetrator (who is typically disguised as a trusted individual or company principal) deceives a target into performing a task (such as wire transferring funds or purchasing gift cards for a customer), releasing sensitive data (such as log ins, account numbers, credentials, etc), or clicking on a dangerous link.
There are a handful of ways to spot a scam text message and this rings particularly true with Spear Smishing:
- The text message may come from an unknown or out of area phone number but contains a signature line or identifier in the message claiming to be someone else (see below).
- The message is conveyed as urgent or critical with a time constraint indicated.
- The message is asks that a specific action be taken.
- The person who sent the message claims to be unavailable or will be busy for a protracted time in the near term.
- The message is sent at a strange time.
- The request is not customary or falls out of line for internal financial controls.
While this may seem easy to avoid, these scammers use social engineering tactics to evade the better judgement of the recipient.
- Leverages the fear of seniority and urgency.
- Uses authoritative language and tone (“Please pay immediately”, “I need you to do this”, “I am not happy this was missed”, etc.).
- Plays on target’s trust (“I am counting on you”, “this is very important”, etc.).
- May contain organizational details that impart creditability like: referencing participation in a recent conference, references to other people in the department, commentary on recent expansion or new locations, etc.
Email Spear Phishing, CEO Fraud, and Spear Smishing attackers will have often gathered significant information on the target organization that can be easily accessible from social media sites such as LinkedIn, Facebook, Twitter, or Instagram and can include information such as a target’s friends, department co-workers, leadership names and titles, current event participation or accolades, public speaking engagements, etc.
Most Targeted SMS Attacks (but not all) will utilize LinkedIn as its main view into an organization. They will target new-hires or people with new roles within a department who may not yet be fully aware of corporate policy, or well-versed in an organization’s data security guidelines. These newer members may be more likely to respond to a request from someone claiming to be the CFO or CEO without first viewing the communication with an appropriate level of skepticism.
As with any Smishing attack, a user:
- Should NOT respond to the number sending the text message.
- Should NOT click on any links in the message.
- Should block the number of the scam text from their phone.
- Should delete the message to avoid errantly responding in the future.
- Should notify their employer of the attack attempt.
By replying to the message, the target of the attack confirms that this is a valid number, that the user knows the relationship to the purported executive, and can help scammers further develop the organization profile for future targeting of others within the company.
Nearly all information needed to organize and execute a targeted SMS attack is easily available by accessing a corporate website, LinkedIn, and social media sites. Cyber-criminals can quickly assemble a company profile in a very short period of time, which is why the actions of someone being targeted and broader awareness of this type of attack is so critical.