JOINT BASE LANGLEY-EUSTIS, Va. –
The cellphone in your pocket ‘dings’, notifying you of a text message. The message states the U.S. Postal Service is holding a package for you and won’t release it until you’ve confirmed delivery details. The text message also has a shortened URL for you to tap to provide the requested information.
Providing those details is exactly what the sender wants, as their goal is to compromise your personal and/or financial information through a tactic called ‘smishing’.
“Smishing is a form of phishing in which an attacker uses a compelling short message service, commonly known as a text message,” said Christopher Rooks, South Atlantic Region Cyber Security Division chief, “to trick targeted recipients into clicking a link and sending the attacker private information or downloading malicious programs to a smartphone.”
The above example, known as ‘package tracking’, is just one of the common smishing attack types. Another is ‘fraudulent account activity’, which is where a recipient receives an SMS saying their financial account or credit card has been locked due to suspicious activity. To unlock it the recipient only needs to tap the included link, enter their personal access information, and allowing the scammer to gain the information they were fishing for.
“Smishing can be a threat to JBLE personnel security and privacy by tricking individuals to reveal personal, sensitive information,” said Rooks. “The scammer may try to access the victim’s online bank, email or another service that may open doors to various other places.”
According to the U.S. Army Criminal Investigation Division Cyber Field Office, cybercriminals may also attempt to steal personal information with Internal Revenue Service-themed messages about recalculating tax refunds, needing additional details to avoid prosecution, or requesting additional information to avoid the cancellation of the recipient’s social security number.
There are several tips to prevent and mitigate these threats. A few of these include don’t click on links in suspicious texts as they could install malware on your cellphone, don’t assume a text is legitimate just because it comes from the same area code, and don’t reply, even if to text ‘STOP’ to prevent further messages.
With regards to the IRS, according to their website: “Taxpayers need to remember that the IRS will not contact them by text message or social media and ask for personal financial information. The IRS will also not initiate contact by phone or email. If the IRS needs to contact you, it’ll usually first send a letter in the mail through the [USPS].”
According to Rooks, users can forward all questionable texts to 7726 (SPAM), which helps wireless carriers investigate and block senders of smishing messages. For additional resources, check out https://www.cid.army.mil/cyber.html or https://www.osi.af.mil/cyber.