Welcome to the Oregon FBI’s Tech Tuesday segment. Today: Building a digital defense against SMiShing.
It sounds like it may be a fun game when, in reality, it is anything but fun. It is downright dangerous to your device.
The word “smishing” comes from combining SMS with phishing. SMS is “short message service” – a common form of texting. Phishing with a “ph” is a technique by which scammers fish for victims… setting lures for unsuspecting people to click on.
In this case, SMiShing involves bad actors sending messages to your device that look legit – perhaps from your bank, credit card company, or your favorite retailer.
In one version of this scam you click on that link, and you’re sent to a spoofed website that might look nearly identical to the real thing. You are asked to enter sensitive information like passwords and credit card numbers.
In another version of this scam, the SMiSher just needs you to click the link, and instead of winning that great lottery prize he offered, you get a full download of malware.
A final version of the scam is even easier to spot. The bad actor messages you with some urgent need. Maybe he tells you that your bank account is locked. He stresses you out, and, without giving you time to think, pressures you into texting back your bank account or PIN number so he can fix it. Well, he’ll fix it all right… right down to a zero balance.
Here’s how to protect yourself:
- Be wary of any message that asks for personal information.
- Know that reputable companies generally don’t contact you to ask for your username or password.
- Don’t click on anything in an unsolicited message. When in doubt, look up the company’s phone number or web address yourself and ask about the inquiry. Do not use any links or phone numbers provided in the suspicious text.
- Set up multi-factor authentication on any account that allows it.
- Be careful with what information you share online or on social media. When you post about your pet’s name, schools you attended, family members, and your birthday, you can give a scammer all the information he needs to guess your password or answer your security questions.
If you are the victim of an online fraud, you should report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your FBI local office.