Threat Intelligence: Uptick in Smishing

The United States Federal Communications Commission issued an alert to the increasing onslaught of smishing (SMS phishing) attacks attempting to steal personal data and money. You know it’s bad when flags are being raised at this level.

Why Is Smishing So Effective?

Hackers trick individuals to enter sensitive information by crafting text messages about bank problems, unclaimed bills, package delivery issues, and law enforcement actions.

We’ve observed the most successful campaigns using simple website redirects to impersonate bank and services websites to con individuals into entering credentials and/or MFA codes. In some cases, attackers are also spoofing where the message is coming from, attempting to add legitimacy to the message.

With the credentials, account information, and multifactor codes, threat actors gain access to accounts to make fraudulent purchases, transfer money, steal identify information, or simply sell account access to other criminals.

If you simply click the links contained within the messages, you get added to a list of people who have live numbers and follow these links. That allows hackers to further target you. Dangers are elevated when individuals supply threat actors with any additional data, including credentials or MFA codes.

The FCC recommends taking the following measures to defend against these kinds of attacks:

• Do not respond to texts from unknown numbers or any others that appear suspicious.
• Never share sensitive personal or financial information by text.
• Lookout for misspellings or texts that originate from an email address.
• Think twice before clicking any links in a text message.
• If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren't hacked.
• If a business sends you a text you weren't expecting, look up their number online and call them back.
• Remember that government agencies almost never initiate contact by phone or text.
• Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or "SPAM").
• File a complaint with the FCC.

We continue to monitor the situation with additional novel techniques.

Communication to clients:

The FCC released an alert about the increase in malicious smishing (SMS phishing) attacks and subsequent fraud reported.

Hackers attempt to trick users into opening links in text messages. Then they try to get users to enter sensitive information such as credentials or MFA codes into web pages designed for phishing.

Hackers use the credentials and other information submitted to them to steal account access, personal information, and money from the victims. Threat actors also sell access to these compromised accounts to other adversaries.

Individuals who simply visit the malicious links in the text messages will be targeted in subsequent attempts and those who enter information can find their accounts compromised and money stolen.

The FCC recommends taking the following measures to defend against these kinds of attacks:

• Do not respond to texts from unknown numbers or any others that appear suspicious.
• Never share sensitive personal or financial information by text.
• Lookout for misspellings or texts that originate from an email address.
• Think twice before clicking any links in a text message.
• If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren't hacked.
• If a business sends you a text you weren't expecting, look up their number online and call them back.
• Remember that government agencies almost never initiate contact by phone or text.
• Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or "SPAM").
• File a complaint with the FCC.

For more information about IT and cybersecurity services for small and medium businesses or to schedule a free initial consultation with no obligation for your business, contact ORAM Corporate Advisors now at (617) 933-5060.