This morning our marketing specialist woke up to a concerning text. USPS needed him to update his address because his package arrived at a warehouse and could not be delivered due to an incomplete address. He only had 12 hours to click on the link in the text to fix it.
Or did he? Spoiler: he had not ordered anything.
Texts of this nature are known as “smishing”, a portmanteau of "SMS" and "phishing." It refers to a type of cyberattack or scam that involves sending text messages (SMS) to individuals with the intent to deceive and manipulate them into taking certain actions, such as clicking on malicious links, providing personal information, or downloading harmful software onto their mobile devices. Similar to phishing attacks, they use a sense of urgency and high stakes (say, packages not getting delivered in time for the holidays).
Using the message above, we will look as some of the characteristic typically of a smishing attack:
- Illegitimate, but familiar sender: Smishing messages often appear as if they come from legitimate sources or organizations, such as banks, government agencies, or well-known companies. The messages may claim there is an urgent issue that requires the recipient's attention, like a problem with their bank account, a package delivery, or a security alert. Check the from line. In the example above, you’ll see that the message is from a crazy email address! 🚩🚩🚩
- Urgency and Fear Tactics: Scammers use fear or a sense of urgency to prompt immediate action. They may warn of dire consequences, such as account closure or legal action, if the recipient doesn't comply. In this case, the threat of losing a package. Best scenario would be to check any expected packages on the sites you ordered from or the carrier directly.
- Request for Personal Information: Smishing messages often request sensitive information, such as Social Security numbers, credit card details, passwords, or personal identification information. The goal is to steal this information for fraudulent purposes.
- Malicious Links or Downloads: Smishing messages may include links that, when clicked, lead to phishing websites that mimic legitimate sites to trick victims into entering their credentials or downloading malware onto their devices. DON’T CLICK THE LINK. If you are concerned, open a browser and visit the potential issue site directly.
- Phone Number Spoofing: Attackers might use techniques to make it appear as if the message is coming from a trusted source, even if it's not. This can make it harder for recipients to identify the scam. Consider having a code word with your closest friends and family to ensure authenticity. Or, ignore the text/hang up the call and redial the number you know to be correct and check in.
With the holidays approaching, it’s likely to see an increase in smishing and phishing activity. To protect yourself from smishing attacks, be cautious when receiving unsolicited text messages, especially if they request personal information, contain suspicious links, or create a sense of urgency. Verify the sender's identity by contacting them through official channels (e.g., calling your bank's official customer service number) rather than using the contact information provided in the suspicious text. Additionally, consider using security software on your mobile device, set up multifactor authentication with an authenticator app, and report suspicious activity to help detect and prevent smishing attempts.