SMS Phishing Imposter Scams

Leila Sharma

We’ve recently received reports of the following types of SMS phishing (“Smishing”). The first is a gift card scam in which a scammer poses as someone known to the recipient, often an organizational  “higher up”. This imposter attempts to trick victims into purchasing gift cards in an expedited manner. Once purchased, the scammer seeks the redemption codes on the back of the gift cards, while offering assurances of reimbursement. The following is an example of how such an exchange may be initiated:

Image of SMS text message initiating contact

 

The following email and text message detail an interaction in which a student initially believes s/he has received a job offer from an NYU faculty member, and while awaiting the clearance of a $2050 check for office supplies, is asked to supply the $2050 up-front in installments to expedite the process.


Screenshot of email from student to faculty member inquiring about the legitimacy of the job offer received

Text messages between student and scammer detailing request for additional monetary transfer

 

Recognizing and Reporting Smishing Attempts 

As with email phishing, smishing scammers are attempting to trick recipients into clicking malicious links that will initiate the installation of malware, or direct you to a credible looking spoofed website designed to steal your sensitive information. Smishing on mobile devices has become a popular scam tactic because the way to check URLs on mobile devices is less apparent, and the use of antivirus software is less prevalent on mobile devices. The following KnowBe4 blog post, Here Is What You Can Do To Explore SMS URL Links Before Clicking, provides alternatives for checking these URLs and additional information about smishing.

Common smishing messages are often time sensitive messages, such as:

  • Promises of free prizes that sound too good to be true (they are!) 
  • Promises of help with student loans and other debt
  • Communications from financial institutions requiring immediate action 
  • Communications from government agencies, such as the IRS
  • Tech support related scams from known companies (Apple, Microsoft, etc.) 
  • Health notifications, such as COVID notifications
  • Delivery failure notifications from known entities
  • Free software downloads

Reminders: 

  • Don’t click on unexpected links, even if coming from a known number. Remember that phone numbers can be spoofed. 
  • When in doubt of the legitimacy of a communication received, either delete it, or contact the sender via a trusted means of communication, such a trusted phone number to confirm the legitimacy of the message.
  • NYU student on-campus jobs are posted on NYU Handshake, and job offers are made directly from the Handshake platform. 
  • Only download from trusted sources such as Google Play and Apple’s App Store. 
  • Do not reply to unsolicited text messages because this just confirms that your line is operational. Instead, filter and block callers.
  • To report phishing of any kind, email phishing@nyu.edu or copy and forward the message to 7726 (SPAM), which notifies your phone service provider. You can also report spam using the FTC website

Additional Resources: