The Federal Trade Commission (FTC) recently released data on the five most common SMiShing scams that cost consumers over $330,000,000. These five SMiShing scams have at least two things in common: The scams impersonate well-known businesses; They create a sense of urgency.
Phony bank fraud prevention alerts
You may get a text message similar to the one Kelli Hinton received from a scammer posing as a bank fraud investigator:
“Freemsg: Chase, Did you attempt wire transfer amount of $7500. Reply Y if recognized, Or NO to stop fraud.”
The bad actor followed up with a vishing phone call and ended up clearing two of her bank accounts of $15,000.
Bogus “gifts”
There is no such thing as a free lunch, and fake gift/reward smishing scams prove that adage to be true. There is always a catch to receive your gift or reward, usually it is a request to enter your payment information to cover a small shipping charge. According to the Better Business Bureau, these texts may read something like, “Your bill is paid for June. Thanks, here’s a little gift for you,” followed by an unfamiliar link to click.
Fake package delivery problems
Are you expecting a delivery to your business or home? You may receive a text message from a bad actor posing as the U.S. Postal Service, FedEx, or UPS. The message will usually say that there is an issue with the delivery and that immediate action is necessary. That is what happened to Teresa Owen. She was expecting a shipment of medical equipment and received a delivery update text message from the U.S. Postal Service (USPS). The link in the message took her to a USPS website that looked legitimate, the correct looking logo, post office information and tracking number. To avoid a delivery problem, she was told to pay 30 cents in postage. Teresa promptly entered her debit card number. Fortunately, Owen’s bank alerted her in time, and she did not lose any cash.
Phony job offers
If you post your resumes to any employment website, do not be surprised if you receive a phony text message claiming to offer employment. The big tip-off that it is not legitimate is the offer to send you a check with instructions to send some of the money to a different address for materials, training, or something similar.
Amazon security alerts
You may receive a text message from Amazon alerting you to a suspicious transaction or to verify the purchase of a big-ticket item. The message may include a link or phone number to call.
Why Scammers are SMiShing
Why are scammers using this attack vector? There are a few reasons. Bad actors realize that people just cannot seem to resist the ‘ding’ of an incoming text. In fact, more than half of all consumers text daily, making texting more common than voice or email communication. In addition, the appeal and nature of text communication is speed. So, scammers are counting on their targets replying quickly, without thinking about what the message is saying.
Educate. Test. Protect.
Would your employees be able to recognize the five most common SMiShing scams? With many accessing corporate information and accounts from their personal phones, if they fall victim to SMiShing on their personal phone, the attacker could get access to corporate information. The risks are simply too high to ignore, and the solution is attainable. Effective employee education and testing is the key to identifying risk and assessing vulnerabilities within your organization’s human network.
Our Managed SMiShing Service measures and tracks how your employees respond to text-based phishing attacks. Our engagements focus on simulation of social engineering attacks and determine the potential for corporate assets being breached and compromised. With this service you can increase your reporting metrics by testing corporate managed SMS-capable devices with data driven targeting and training. Please contact us today to schedule a consultation.