the staff of the Ridgewood blog
Ridgewood NJ, SMiShing is a social engineering tactic used to send spam or malicious text messages to deceive victims into believing the message came from a trusted person or organization and convince them to perform an action, such as revealing account credentials, downloading malware, or sending money. SMiShing messages may come from random phone numbers or email addresses and often use a sense of urgency to convince the target to take a desired action quickly. In addition, robotexts, which are automated text messages sent to mobile devices, are increasingly taking the spotlight as the federal government and telecom companies are trying to crackdown on this activity.
State-issued and/or personal mobile devices are used to make phone calls, check email, and other tasks. The NJCCIC received reports of threat actors sending spam text messages from free email addresses (such as Hotmail and Gmail) to NJ state employees’ mobile devices. The messages originate from different email addresses and may use a different display name each time.
For example, threat actors sent a spam text message, such as “Can i Call you ?” from a Hotmail account to initiate a response. In another example, a spam text message is also sent from a Hotmail account and contains a link. In addition to being an annoyance, threat actors can send these messages in an attempt to steal money and other sensitive information, such as personally identifiable information (PII) or user credentials, or to deliver malware.
The New Jersey Cybersecurity and Communications Integration Cell recommends users maintain awareness of current tactics used by threat actors in social engineering campaigns and understand the common red flags that accompany these threats.
Security awareness training: Participate in training to help better understand cyber threats and provide a strong line of defense.
Do not respond: Many legitimate robotexts include an option to text STOP or UNSUBSCRIBE to inform the company of your request to be removed from their distribution list. However, do not reply STOP or UNSUBSCRIBE and do not reply to unknown phone numbers or email addresses, as this will confirm to the threat actors that your phone number is valid and active and could potentially be used in subsequent campaigns or leaked to other threat actors.
Exercise caution with communications: Be wary of text messages using unnatural or ungrammatical language. Offers that seem too good to be true usually are. Also, refrain from divulging sensitive information without verifying the requestor via a separate means of communication before taking any action.
Block messages: Messages may be marked as spam, blocked and/or deleted, but threat actors can still use a different email address. Users are advised to contact their mobile cellular carrier to block text messages from email addresses, where available.
Navigate directly to websites: Navigate directly to authentic or official websites by typing the legitimate URL into the browser instead of clicking on links in messages from unverified sources, and refrain from entering login credentials on websites visited via links delivered in messages.
Use secure websites: When sharing personal or financial information, ensure you are using verified, secure, and encrypted websites.
Keep devices up to date: Stay informed about publicly-disclosed vulnerabilities and update devices—including firmware—to the latest version to ensure they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device and/or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.
Report incidents: Reporting is good first step. Report spam text messages and robotexts to your mobile carrier by forwarding it to a specific number. To do this, copy the original message and text it to 7726 (which spells out SPAM). This works for AT&T, Verizon Wireless, T-Mobile, and Sprint, all of which will use the information to attempt to block future spam text messages. Report malicious cyber activity to the NJCCIC via the Cyber Incident Report form, FCC, and FTC.