Chances are, you have been receiving an onslaught of calls from automated voices saying they can lower your credit card interest rates or that you have randomly won a cruise. Apparently, the ‘do not call’ lists aren’t working very well anymore. Over the last couple of weeks, I have been receiving text messages similar to the following:
“_____ just recommended you check out your photos on Ever. Link expires tomorrow:”
“Do you want a check for $1545 every week? Call this number now.”
For both messages, a link or phone number appeared in a separate text message. As an employee of a cybersecurity company, I was very suspicious, as the threat of being hacked is becoming more probable each and every day. Upon further research, I found that phishing has found some new bait. Smishing, which is short for SMS (short message service) phishing.
Smishing
Smishing can be delivered in one of two ways. First, smishing occurs when hackers use deceptive text messages to lure consumers into providing their personal or financial information. The hackers then send smishing messages that often impersonate a government agency, bank, or other company to lend legitimacy to their claims. It can happen similar to the image below:
“Jack” received a text message that appeared to be from his local bank. As you can see, the message stated that his ATM card had been suspended and he was instructed to call the number provided. When calling the number, Jack received a recording that asked him to enter his debit card number along with his pin. Jack immediately hung up.
This type of smishing has been around for quite a while. However, the bait is taking on a new form as of late.
Smishing can also arrive when a user is tricked into downloading a Trojan horse, virus, or other malware onto his or her cellular phone or other mobile device. This type of smishing ploy occurs when a user receives a text message such as “We’re confirming that you’ve signed up for our services. You will be charged $2/day unless you cancel your order.” Following the message, a link will appear to route the user to the main phishing page. Fearful of incurring these rates on their cell phone bill, users will visit the Web site in the message. Once the user arrives at the URL, they are prompted to download a program which is actually a form of malware that turns the device into a zombie, allowing it to be controlled by the hackers. These hackers will use the device to launch a denial of service attack, install keylogging malware, steal personal information, or perform other malicious activities.
David Rayhawk, senior researcher at McAfee Avert Labs, believes cell phones and mobile devices are going to be one of the biggest threats in the future of cybersecurity.
“Most large enterprises have thousands of employees, using a variety of devices to access their networks.” Rayhawk wrote in his blog. “Despite their best efforts to issue safety guidelines, IT security staff cannot control human behavior, especially in light of the fact that mobile users have not yet learned to treat their phones with the same level of concern that they apply to their laptops. Mobile devices present a serious challenge to data security, with the potential to infect both carrier and enterprise networks.”
How to Avoid Smishing Scams
Don’t fall victim to smishing scams. Remember the following when receiving text messages from unknown numbers:
- Government agencies, banks, and other legitimate companies will never ask for your personal or financial information such as usernames, passwords, PINs, or credit/debit card numbers via text message.
- Don’t be rushed – Smishing scams attempt to create a false sense of urgency by implying that an immediate response is required.
- Be wary of any links sent from unknown numbers. As we’ve said before, these links may lead to malware being downloaded onto your phone and could infect your company’s network if you are connected.
- Don’t call a phone number listed in an unsolicited text message. Instead, look up the number for customer service on the company who is attempting to contact you.
- Use the same safety and security practices on your mobile devices as you do with your computer. Be cautious of text messages from unknown numbers and keep your security software and applications up-to-date.
