Cybercriminal “smishing” takes aim at Asante

Why is one of our executives texting you?

Well, he’s not, but a flurry of text “smishes” claiming to be from ATRMC CEO Win Howard showed up on some employee phones last month. Asante’s security team predicts this flurry of smishes will become a storm as time goes by, so be prepared. Here we go again.

The term “smish” is a blend of the words phish and SMS (a type of text message). Just like a phish, a smish attacker’s disguise is usually associated with the institution being targeted, or a trustworthy entity or person asking you to:

• Respond to the text message, thereby revealing confidential or sensitive information.
• Click on a link (to a malicious website).
• Open an (infected with malware) attachment.

The only difference between a smish and a phish is that a smish arrives on your phone as a text message.

Cybercriminals must have seen recent statistics from research and consulting firm Gartner that indicate 98% of text messages are read and 45% of them are responded to, while only 6% of emails garner a response. These same criminals also learned it is easier to find a person’s phone number than a valid email address.

According to security firm Proofpoint, smishing messages increased by 328% in a single quarter in 2020, and continue to grow in volume across the globe. Smish messages have even outstripped robocalls as a phone-related scam tool.

This growth is hard to stop, since cybercriminals are difficult to apprehend. “Burner phones” — cheap prepaid phones — or email-to-text services are two of many means of hiding their identity to avoid being caught. Also, smartphone users have a false confidence in text message safety, even though smartphone security features cannot directly protect against smishing. And since the smartphones are on the go with people all day, texts may read or responded to in a moment of distraction or hurry.

As more people use their personal smartphones for work, smishing has become a business threat as well as a personal one. For example, by responding to smish texts that supposedly come from Win Howard, an employee provides the attacker with a valid contact number for future follow-up texts including those with malicious links and attachments, or those requesting information about Asante.

If you believe you have fallen victim to a smish, take these actions:

1. Report Asante content-related SMS phishing attempts to the ITS Service Desk.
2. Change all passwords and account PINs where possible.
3. Monitor finances, credit and various online accounts for strange login locations and other activities.

Attackers can use a wide variety of identities and premises to keep these SMS attacks fresh. Stay alert!

How to protect yourself

Do not respond. Even prompts to unsubscribe can be a trick to identify active phone numbers.

Slow down. Urgent account updates and limited time offers are signs of possible smishing.

Validate the legitimacy of the text by examining it as you would a phish email (source address, content clues, message tone) or contacting the alleged sender by phone.

Avoid clicking any links or opening any attachments in a text message.

Check the phone number. Odd-looking phone numbers, such as four-digit ones, can be evidence of email-to-text services.

Apply messaging filters for unknown senders on your phone to avoid future smishes.

Download an anti-malware app to protect against malicious apps, as well as SMS phishing links themselves. Keep your phone updated to the latest version and security settings.