SMiShing Is the New Phishing!

BEWARE of SMiShing!

Fraudsters are moving beyond your email and into your text messages! This new form of phishing aka “SMiShing” named after “Short Message Service”, is a new tactic scammers are using to obtain your personal information that could enable them access to your bank account or other online profiles. With smishing, malware such as keystroke logging can be installed on your smartphone or tablet just as it can be in phishing. With people increasingly using their mobile devices for work related duties, malware on your compromised mobile device can be used to gain access to passwords and corporate data as well as to plant malware on company servers.

 

One particular smishing scam Netblaze is currently seeing involves someone contacting you via text or by phone claiming to be from AT&T.  The following scenario may (or may not!) have happened to an offspring of one of Netblaze’s founders recently.  It may also have resulted in a Netblaze founder spending the good part of a precious Saturday on the phone with AT&T in an attempt to reverse the fraudster’s inflicted damage.

Smishing example:  Someone texts or calls you allegedly from AT&T and tells you something is wrong with your account and your urgent response is necessary to resolve it.  Whether they claim the problem is an unauthorized user that has gained access to your info and is purchasing new iPhones under your account or maybe someone has gained access to your phone number and is using it from another device and is racking up charges, the smishing scam artist is preying on your sense of panic. In order for them to assist you, they request that you first verify a code that will be texted to your mobile phone.

DO NOT GIVE THE FRAUDSTERS THIS TEXT CODE! 

If you have already fallen victim to this scam, call AT&T fraud services immediately for assistance and prepare to have the better part of your day pilfered from you.

No surprise here but these scammers do not actually work for AT&T.  They have accessed AT&T’s website and submitted a request to “reset your password” for your mobile phone number.  When a “reset your password” request is made, AT&T first sends you a text with an access pin as a security feature to verify that you are in fact this mobile phone number account holder.  Once the fraudsters receive this text code/access pin from you, they are able to reset your password and gain access to your myAT&T account where they can make changes, plant malware on your smartphone, order equipment, and obtain personal information.

Here are a few tips to help you avoid smishing attacks:

  • Avoid clicking links within texts and never install apps directly from a link in a text.
  • Do not reply to text messages from unfamiliar phone numbers and be especially cautious of texts coming from 5000 or any other number that is not a mobile number.  A 5000 number usually indicates that the text was sent from an email account rather than another mobile number.
  • If you receive a message appearing to be from your bank or another entity, do not respond to the text. Call them directly with a phone number that you have on file; not a phone number given to you in the text.
  • If a text is telling you to act quickly, stop and ponder this before taking action!  This is a common tactic that criminals use to persuade you to release the information they are seeking.
  • Never share your mobile phone number online or with social media accounts.
  • Warn your kids and caution your parents.  Said Netblaze founder in above example regrets not taking this action sooner.
  • Forward smishing messages to 7726 (SPAM). This helps mobile providers identify and block them.

Smishing scams have been around for over a decade but they are now becoming more prevalent due to heightened awareness of email phishing and companies like Google and Yahoo better detecting fake accounts and shutting them down. Also beware that smishing is not only popping up with your texts, but also on your messaging apps as well.