978-223-2959 horizon@saviorlabs.com

The United States Federal Communications Commission issued an alert to the increasing onslaught of smishing (SMS phishing) attacks attempting to steal personal data and money. You know it’s bad when flags are being raised at this level.

Why Is Smishing So Effective?

Hackers trick individuals to enter sensitive information by crafting text messages about bank problems, unclaimed bills, package delivery issues, and law enforcement actions.

We’ve observed the most successful campaigns using simple website redirects to impersonate bank and services websites to con individuals into entering credentials and/or MFA codes. In some cases, attackers are also spoofing where the message is coming from, attempting to add legitimacy to the message.

With the credentials, account information, and multifactor codes, threat actors gain access to accounts to make fraudulent purchases, transfer money, steal identify information, or simply sell account access to other criminals.

If you simply click the links contained within the messages, you get added to a list of people who have live numbers and follow these links. That allows hackers to further target you. Dangers are elevated when individuals supply threat actors with any additional data, including credentials or MFA codes.

The FCC recommends taking the following measures to defend against these kinds of attacks:

  • Do not respond to texts from unknown numbers or any others that appear suspicious.
  • Never share sensitive personal or financial information by text.
  • Lookout for misspellings or texts that originate from an email address.
  • Think twice before clicking any links in a text message.
  • If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren’t hacked.
  • If a business sends you a text you weren’t expecting, look up their number online and call them back.
  • Remember that government agencies almost never initiate contact by phone or text.
  • Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or “SPAM”).
  • File a complaint with the FCC.

We continue to monitor the situation with additional novel techniques.

Content provided by Bruce McCully