Although phishing threats most commonly occur via email, please be reminded that phishing threats also occur via phone calls, social media updates and text messages. What all phishing threats have in common is that they are social engineering attempts designed to steal information or install malware.
Text message phishing, also known as “smishing”, often attempts to lure victims with promises of free gifts, deals and debt relief. Scammers may also send messages that purport to come from trusted institutions, such as your bank, a government agency or a charitable organization. Clicking the links supplied in these messages may:
- direct you to a spoofed website designed to look like the website of a trusted entity in an attempt to steal your credentials or money.
- install malware on your device, such as ransomware, spyware or cryptocurrency mining code.
Businesses and other entities commonly use numerical text message shortcodes, which allow you to send a one word answer in response to a message received. As you may know, these shortcodes can be used to trigger transactions, which will appear on your service provider’s bill. For example, if you text “PREVENT” to shortcode 90999, you will donate $10 to the American Red Cross Disaster Relief Fund. Please be advised that scammers may seek to steal money by posing as legitimate entities seeking donations or purchases via shortcodes. A recommended best practice is to check all shortcodes prior to donating or purchasing using the The U.S. Short Code Directory (https://usshortcodedirectory.com/), which is a resource for determining the authenticity of shortcodes. You can search the directory by shortcode or brand.
Please note that sending unsolicited commercial text messages to wireless devices is illegal. A commercial sender must obtain your permission first. Exceptions include:
- non-commercial text messages, including surveys or fundraising messages
- text messages from a company with whom you have an established relationship
AT&T, T-Mobile, Sprint, Verizon subscribers can report phishing messages to their service provider by copying the original message and forwarding it, free of charge, to 7726 (SPAM). Unwanted commercial text messages may also be reported to the FTC. Receipt of a threatening text may be reported to the FBI Internet Crime Complaint Center (IC3).
Supplemental Recommendations:
- Be suspicious of strange looking numbers that are not cell numbers, such as “5000” which may be used by email to text services. Scammers may use these services when texting in an attempt to mask their identity.
- Do not visit sites via embedded links in text messages. Instead visit sites by typing a known and trusted URL into your browser’s address bar.
- Do not click links in unexpected text messages. Clicking malicious links may lead to the installation of malware, such as ransomware or spyware.
- When in doubt of the legitimacy of the message, confirm with the sender via a trusted means of communication.
- Delete messages that ask you to provide or confirm personal information. Legitimate entities do not request information in this manner.
- Do not reply to smishing messages. Replies confirm that your phone number is active and that you review messages received.