TechGuard Blog

Keep Employees Safe from SMiShing Attacks

 
Dear Jon, Capitol One needs you to verify your PIN number immediately to confirm you are the proper account holder. Some accounts have been breached. We urgently ask you to protect yourself by confirming information here...
 
If your employee received a message like this in regards to the company credit card, are you confident that he/she would react in a secure and appropriate manner? Or would your employee be scared by the message and quickly react by obediently following the directions given?
 
What are "SMiShing" attacks?
 
 
Just as illustrated in the above example, they are a form of Short Message Service (SMS) also known as text messages that appear to come from reputable companies. They persuade or "phish" the recipient into revealing account #'s, passwords or private information. The attacker can craft a variety of messages to persuade the recipient to take actions such as to call a given phone number, visit a malicious link or to provide private information.
 
Not only are these attackers gaining access to private information, but some of the attacks provide an instant payoff. Watch for premium SMS messages that charge you extra by granting the messaging application permission. Each time you receive a premium SMS message, you get charged an extra fee on your cell phone bill resulting in the money going directly to the scammer. However, there are legitimate times these premium SMS fees are used such as for voting or charities. You may have heard of the TV reality show, Big Brother that charges a premium fee for each vote. Knowing the signs to watch out for is critical to keep your employees from being a perfect target for this type of attack.
 
You may be wondering what some of these messages look like. There's different styles and methods to watch for. 
 
Examples of "SMiShing" Attacks
 
IRS Notice: Your tax return is overdue! Click here to enter your information to prevent being prosecuted.
 
Your have just won a $100 Walmart gift card! Click here to claim your gift.
 
The Apple ID associated with this number is due to be terminated. To prevent this please confirm your details at ____.
 
You get the picture. It is not hard to see the pattern develop. One common method used over and over again is creating a sense of urgency. It works because urgency is one of the most powerful forces of the human brain. It accelerates a person's decision-making process. 
 
8 Ways to Avoid Becoming Victim
 
  1. Add your number to the Do Not Call/Do Not Solicit Registry.
  2. Turn on Premium SMS Message blocking. Check out your cell phone carrier's website or call the customer service number for assistance.
  3. Know that most banks, utility companies and courts of law do not text critical information.
  4. Do not ignore cell phone updates. These security patch updates are important.
  5. Ask your provider to remove charges from your statement if you think you were a victim.
  6. Verify text messages and phone numbers are coming from the legitimate source rather than trusting the sender and clicking on their links.
  7. If you suspect that you or your employee received a fraudulent message, report it to the Federal Trade Commission and file a complaint.
  8. Trust your gut instinct. If something sounds urgent or seems odd, take some time to investigate before you take action and put yourself at risk.

Attackers prey on basic human instinct. Today attacks are done in a savvy manner. Scam artists attack through so many methods including texts, phone calls, emails, malicious websites and in person. Unfortunately, so many well-meaning people are thrown off guard and do not recognize the attack.