SSST #38 – Not all Cyber Attacks are Received on Your Computer!

Smish.

Smishing.

Smished.

I find it to be an annoying word in and of itself. However, today, we must talk about it.

Smishing is a technique in which hackers use a compelling text message to trick their victims into taking an unwanted action.

Hackers know people are more inclined to view and answer text messages than their emails quickly. Hackers can quickly convince someone to take action without thinking with their guard let down.
 
The word smishing is a combination of Short Message Service (SMS) and phishing. Both techniques are designed to send convincing messages to make you take an unwanted action: smishing via text message and phishing via email.
 
It’s easy for a hacker to look like someone else in a smishing attack. That’s because most SMS messages are not authenticated and can be sent by anyone without validation of the sender.
 
Not all smishing is delivered via a text message. With the variety of messaging apps on your phone, hackers have many choices they use to deliver their compelling tricks (such as Facebook Messenger).
 
Don’t reply to an unsolicited message since that will confirm your actual number, leaving you a target for additional attacks.
 
If you get an unsolicited message, your first reaction should always be to stop and think if it’s legit. Never give away PINs, passwords, or other sensitive information in response to a text or message on any app.
 
Smishing can be sent to anyone with a valid phone number. It’s important to remember that your location doesn’t matter if you’re at work or at home to be a target of smishing.
 
A smishing attack might ask you to call back a phone number or provide a pin or password to “confirm” your information. The best action is no action. Always verify directly with the service or person about its authenticity by calling the company using a number you have used before or emailing a contact you found on their website.
 
Certain smishing attacks focus on tricking you into giving up your multi-factor code. Again, the best action is no action, and consider changing your password if you believe it has been compromised.
 
If you aren’t sure if a text you have received is a smishing attack, don’t hesitate to ask for help. You might not be the only one being targeted and can help prevent your peers from becoming a victim.
 
Don’t Click Links
First, if there’s a link in the message, don’t click it. If you’re concerned about the authenticity of a message, directly contact the service or person trying to interact with you.
 
Don’t Respond
When it comes to receiving a smish, the best action is no action. Responding to a smishing attack lets the hacker confirm you are engaged and gives them more opportunities to target you further.
 
Take a Moment
An unsolicited text message is going to look and feel urgent. Hackers want you to act before you think, which is why many smishing attacks are successful.

Smishing attacks rely on someone to engage with them to be effective. Help others in your organization learn how to spot and stop smishing at work and home.

Comments are closed.

Want to receive more
Stupid Simple Security Tips?
Sign up below.

FREE CHECKLIST

The Security Checklist for Busy Lawyers

The Security Checklist for Busy Lawyers