Posted In: Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
Industry:
Technology
Corporate TIPS: Smishing - A New Cyber Threat in Text Messages
on March 4, 2020
In the world of the internet of things (IoT), consumers have become accustomed to instant gratification and expect instant deliveries, instant response, and instant updates to their daily lives via text message. Amazon®, Target®, Fedex® and UPS® (among others) all provide real-time updates and notifications on the status of orders and deliveries via text message.
Short code messaging, known as SMS code, is the delivery tool used by these companies to distribute text updates. They include a short message indicating an update and often prompting users to click a link in the text to see the full details.
Phishing, which has been around for quite some time now, but has become very sophisticated, is an email scam and does not use SMS code. Recipients of a phishing scheme often receive a link via email to go to a compromised site or otherwise get the email account holder to send back personal information such as social security numbers, account numbers, and other password information.
Enter Smishing—a version of phishing which incorporates SMS text messaging. The same tools that hackers use to spoof or fake an email sender and otherwise make the email seem legitimate are used in text messages to make you think they too are legitimate. Because SMS messages often come from a short sender code (like 474-222), we don’t recognize them or store them in our phones as a contact number. Thus, it is common to not recognize the sender of a SMS message and inadvertently click on an embedded link. This is why smishing is becoming such a threat in the world of data privacy and cybersecurity.
Here are some tips to consider when receiving SMS messages:
- Do Not Click on Links. Unless you recognize a string of texts from that same number which you previously identified as legitimate (e.g. Amazon sends you daily updates due to your purchase patterns and history), do not click the link in the text. Instead, go to the site separately through its app or a secure browser and check it that way.
- Do Not Send Personal Information or Log In From the Link. Even if you inadvertently click on the link, do not enter information from that link. These are easily impersonated and by entering login information, a hacker may then obtain complete access to your account.
- Be Wary of Fraud Alerts. These are often the most tempting links to click because you want to see what triggered a fraud notice and address it immediately. However, scammers take advantage of that sense of urgency and use it to steal your information resulting in an actual fraud issue. Use financial institutions directly via their secure website or app to check your account. You can call the number on the back of your banking card if you suspect fraud has occurred.
- Do Not Download Apps from a Link. If you are prompted to download an app to access the information provided in the link… STOP. If you want the app, go directly to the App store, and search for it there. These downloads can contain malware that now is in your phone and not the app you thought you were obtaining.
Cybercriminals never sleep. They are scheming in conference rooms, both virtual and real, all over the world, designing methods and strategies for stealing personal and business information. While keeping your data privacy governance documents and security framework updated and your data secure are ongoing tasks that require continuous proactive efforts, compromised data systems and the post breach recovery and remediation efforts require exponentially more time and money should you not have strategies in place. Stay vigilant and engage experts to keep your data secure.
How Brouse Can Help
Brouse McDowell’s Cybersecurity team provides guidance and legal advice for data breaches. We also provide proactive solutions for companies to defend against cyber-attacks and events. We offer legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2024 Brouse McDowell. All rights reserved.