Smishing

What is it?

Smishing is becoming a common form of social engineering seen at the University. Smishing texts will typically contain a statement that something is going to happen to your account if you don't act now, which usually involves clicking on a link to a page where you are requested to provide your username and password and sometimes more. Smishing is using text messaging or social skills (social networking) to trick you into providing personal/financial information, most commonly passwords and credit card numbers, to gain access to your accounts and steal more data or money. By using fraudulent websites and false texts, perpetrators attempt to steal as much information as you are willing to give them. Attackers will try to fool you into clicking on a malicious link. Be very suspicious of any text message that has bad spelling or grammar, has a sense of urgency, or requests personal information.  Smishing texts are a weapon to harm your system, your organization, and steal personal information to harm you.  Protect yourself by learning to to recognize a smishing texts.  

If you think you have received an text that you think is a “smish”, the tips below can keep you from taking the bait and getting hooked.  

Receiving the Text Message

• Know the online companies you deal with. When a suspicious text arrives on your mobile device - THINK: it could be fraud, it's definitely spam, and it's not for you. Use the options to mark as Smishing, Phishing or Spam.
• Never respond to the text message or click any links, as it might direct you to a fraudulent website. For example, if you receive a suspicious text claiming to be from your bank, call your bank directly for clarification. Never click the link to that website in a text because it may look exactly like the real website but it could be fake.  Go to your bank's website directly using your browser.   
• Learn to identify suspicious texts. Hackers will duplicate the image of a real company; they can copy the names of a company or an actual employee name; they include sites that are visually similar to a real business, and they promote gifts or the loss of an existing account. 
  • The text message is poorly written.  Look for grammatical mistakes not just spelling errors. 
  • Smishing texts come in many forms, but the one thing they all have in common is that they contain a payload. Suspicious links and attachments are a clear indication of a phishing message. If the destination address doesn't match the context it is suspicious link.
    • Unfortunately, many legitamate and scam emails hide their destination address in a button, so it's not obvious wher the link goe to.  Do not click buttons. On a computer, you can hover your mouse over the link without clicking and the destination address will appear in a small bar along the bottom of the browser window, usually in the bottom left side. On a mobile device, hold down on the link and a pop-up will appear containing the link without launching the link.  Just don't tap it.
  • The message creates a sense of urgency. Act now or something will happen.  Hackers prey on human nature to respond.  Reread the message and don't panic. Call your boss or coworkers to validate urgency. 

Reviewing the Text Message

• Understand how the companies you deal with want to interact with you.  
• Practice safe browsing.  
• Be sure to thoroughly read emails that say they are from companies you know.  
• Hover over email addresses and the links with your mouse cursor and verify them.  
• Never enter your personal or credit information into a form in an email.  
• Most "phishing" emails are not personalized.  

Basic Recommendations

• If it seems too good to be true, it probably is;
• Hover your cursor over links in messages to find where the link is actually going; Do not click the link
• Look for misspellings and poor grammar, which can be good signs a message is a fraud;
• And, never respond to an email requesting sensitive personal information (birthday, Social Security Number, username/password, etc.).

Preventing

• Enhance the Security of Your Computer - Use and maintain your email protection software for spam blocking, fraud blocking, and anti-virus.
• Enter Your Sensitive Data in Secure Websites Only (HTTPS:)
• Periodically Check Your Accounts- Read your bank statements - every one, every month to ensure your charges and debits are correct. Stay vigilant and report any suspicious activity immediately.
• Have the Slightest Doubt, Do Not Risk It
• Get informed and stay informed about the evolution of current Malware - Here are some links that can help you learn what is out there:
  • Microsoft - Malware Protection Center
  • Symantec - Security Response Center
• Purchase Identity Insurance - just like having home insurance, you can purchase identity insurance
• Additional Information:
  • Get familiar with GMAIL security tips
  • More essential tips to help you beat phishing scams

What if you responded?

If you entered your WSU account or personal information as the result of a smishing text, take action quickly.

• Work Message event:
  • Change your password immediately! 
  • Take additional training to get better educated on how to spot a smishing text.
• Personal Message event:
  • If you entered credit card or bank account numbers, contact your financial institution. Change your passwords
  • If you think you may be the victim of identity theft, contact your local police.