By now most of you are familiar with the term “phishing,” an activity in which an adversary attempts to fraudulently acquire sensitive information through an exchange of emails. This is usually attempted by sending mass emails that have been created to appear that they are coming from a trustworthy person or organization. The ultimate goal is to extract information from the email recipient to commit identity theft — or as a means to deliver an attachment or link containing malware or ransomware for malicious purposes.
“Spear phishing” took the phishing email threat to a new level. Instead of sending
thousands of emails at random, spear phishing targets select groups of people or a single individual. The fraudulent emails often appear to originate from organizations or
individuals that are familiar to the recipient. Spear phishing emails often contain personal data such as a person's name, phone number, address or work-related information in order to give an air of authenticity to the spear phishing email.
A new scam known as “smishing” is similar in many ways to phishing and spear phishing, but instead of sending deceptive emails, “smishers” use text messaging to trick recipients into responding with personally identifiable information (PII). Even more insidious, smishers attempt to download spyware to eavesdrop on conversations or install malware for nefarious purposes on mobile devices.
Although smishing has existed since 2008, smishers like using this scam because it does not have the notoriety of phishing and many mobile phone owners use texting as one of their primary means of personal communication.
It is estimated that two-thirds of all adults with a mobile phone use text messaging and more than 90 percent of text messages are opened within 15 minutes of receipt. The ability to message instantly, combined with the significant number of PII data potentially available, provides cyber criminals with a strong incentive to target mobile phone users. Mobile phones store vast amounts of sensitive information including account and financial information, passwords, access to a variety of social media applications, and contact lists.
Examples of smishing attempts include texts:
- With a sense of urgency asking for you to confirm account information;
- From the IRS or other government agency asking you to click on a link to avoid penalties or prosecution;
- Of a personal nature from an individual posing as a friend or wanting to become your friend; and
- Congratulating you on winning a prize or other offer.
Protect yourself by applying phishing and spear phishing security protocols associated with texting, including:
- Use caution when receiving unusual, unexpected, or unfamiliar text messages.
- Do not open unfamiliar links or respond to text messages asking for personal information.
- Be especially wary of a text message asking you to urgently respond.
- If the text looks suspicious delete the text or contact the agency, online vendor, or organization to confirm the legitimacy of the text.
- Do not post your cellphone number on social media sites or in other public forums.
Applying common sense and simple security protocols will help prevent identity theft and malicious attacks on your mobile phone.
More privacy tips can be found on the Department of the Navy Chief Information Officer website privacy page at http://www.doncio.navy.mil/TagResults.aspx?ID=36.