What in the world is smishing?

Beware of manipulative text messages

By Mark HoffmannKENOSHA.COM

A leader in the IT industry for nearly three decades, Hoffmann has helped small and large businesses take advantage of technology to better serve their customers and employees. Hoffmann is owner of CMIT Solutions of SE Wisconsin.

Cybersecurity experts are raising alarms about “smishing,” a unique form of phishing that attempts to deliver malicious links or infected applications to cell phones via text or SMS messages.

The challenge with these types of cyberattacks is that a text or SMS message cannot be authenticated beyond the phone number it’s sent from. Hackers have started using new tools that allow them to send legitimate-looking SMS messages from spoofed or stolen telephone numbers.

A recent text-based scheme targeting Android devices purports to be from a delivery company like UPS or FedEx. When unsuspecting users click the supposed package tracking link included in the message it installs a malicious app that can steal banking credentials and other personal information.

Adding to the challenge is the fact that text messages aren’t nearly as easy to track and prevent as, say, malicious emails. URL (Uniform Resource Locator) links sent via text or SMS message are more difficult to inspect for security issues without completely loading the web page the link points to.

Often, these links will be shortened to an innocent-looking address that can be difficult to determine where it will take you. As an example, the link https://rb.gy/gf7ni7, will actually take you to my company website  https://cmitsolutions.com/se-wisconsin/. 

But hackers can easily use these shortened addresses or change a character to point somewhere illicit. In addition, one of my favorite ways to check for bad links in browsers … mobile users can’t hover over a message-based web link to see where it actually points, which means smishing attempts delivered via text or SMS message require extra attention.

Cybersecurity experts at CMIT Solutions echo the following recommendations from the federal Cybersecurity and Infrastructure Security Agency (CISA) to combat smishing schemes:

Only download applications from official stores, such as the Android Play Store or Apple App Store

Take this security check a step further by scanning the name and description of any app before downloading it — look for misspellings, grammatical mistakes and other telltale signs of any problems. Also, read app reviews carefully to see if they seem like real people wrote them. If you see multiple five-star reviews composed with misspellings, poor grammar and improper syntax — or worse, no reviews at all — use caution.

Beware of unsolicited texts that use high-pressure tactics

These can include urgent prompts like “Don’t let your account lapse!” or “Are your funds safe?” along with more benign push notifications like the previously mentioned package tracking link. Legitimate websites will typically also message you inside their website. When in doubt, visit a company’s website by typing in its URL address and then check your messages and notifications there.

Be even warier of text messages that ask you to enter information

It should go without saying that any request for financial information, login credentials, or private details should be ignored and deleted. Don’t be tempted by “something for nothing” messages or other too-good-to-be-true offers.

Think you’ve accidentally clicked a malicious link?

Quit all applications immediately and power your device off. If your phone seems to be working fine when you restart it, log out of any accounts that were open when you clicked the malicious link, and DO NOT log back in on your mobile device. Instead, log in to the account on a desktop or laptop computer to review recent activity and look for any suspicious behavior.

Consult with a trusted IT provider to discuss cybersecurity and security awareness training for mobile devices

Small and mid-sized businesses can consult with a local IT solution provider like CMIT Solutions in SE WI. Most professional IT solution providers can offer comprehensive managed IT services that automatically deploy security patches and software updates for mobile and desktop machines, maintaining a constant watch on day-to-day operations and Internet traffic. These kinds of solutions help keep devices running and employees working while strengthening cybersecurity protection for all types of apps and devices.

Smishing, adds to the list of countless other cybersecurity threats like phishing and spearfishing. These threats can create serious problems for business owners and employees concerned about the integrity of their systems and critical data. At CMIT Solutions of SE WI, we go the extra mile to keep your laptops, mobile devices, and desktop computers safe from scammers, spammers and digital criminals of all types.

If you want to prevent smishing and other IT issues, contact CMIT Solutions today. We keep track of digital threats and proactively protect your business, your employees, your data and your devices.