We wanted to make you aware of recent NEOMED smishing attempts and how you can be vigilant in identifying smishing red flags.
While you are likely aware of traditional email phishing, smishing is a form of cybercrime using social engineering like phishing, but via SMS/text messages (including but not limited to apps such as iMessage, Slack, or WhatsApp.) The name is derived from “SMS phishing” and uses similar techniques to entice individuals into supplying information, clicking on links on their mobile devices, or performing certain actions. Smishing attacks are particularly dangerous because texting and other SMS messaging feel more informal and personal than emails do, so it’s easier to fall into the malicious individual’s trap without feeling suspicious. Additionally, emails include plenty of red flags that might indicate a phishing attempt, including the address of the sender, the formatting of the email, or poor grammar. These red flags don’t necessarily arise in SMS/text messaging formats.
Smishing Red Flags
Most smishing messages contain a sense of urgency, as is common with social engineering. Messages may ask for your “immediate attention” for something (i.e., purchasing and supplying gift card codes), ask you to confirm an order/purchase, or may claim that your bank account/credit card has been suspended unless you act. All these messages will hook you into giving away some sort of personal information, usually financial information. In some cases, simply visiting a link will download viruses/malware onto your phone, which could disclose any information you have stored on it.
Potential Smishing Threats
- Identity theft
- Credit card fraud
- Stolen financial information
- Damage to personal credit
- Unauthorized access to protected NEOMED information could cause a security breach
- University reputation damage
What to do if You Receive a Smishing Message?
- Never click on links in an unsolicited text message
- Never respond to unsolicited text messages
- Don’t act on messages that require you to ‘confirm’ or ‘do’ anything
- If you receive an unusual link from someone you know, check with them to make sure they sent it
- Adding your phone number to the Do Not Call Registry can help reduce some unwanted spam, but not likely protect you from scammers
- Do not display your mobile phone number in public or on the Internet (i.e., LinkedIn, etc.)
- Check with your mobile service provider about options to block future text messages from select senders
- File a complaint with the FTC if you receive messages from an unwanted / unsolicited source
- Don’t reply with ‘Stop’ – the message is not from a mobile premium service. Replying will only confirm your details to scammers and put you on a ‘target list’.
- If you do click on a link by mistake, exit immediately. Do not fill out forms or attempt to contact anyone.
- Consider an antivirus/anti-malware software solution for your smartphone
- If you receive a generic text message from an unknown source that sounds like it’s from a friend – it may not be. This could be an initial ‘hook’.
- Look up the phone number online to see if it is legitimate. It’s best to also look up the bank or institution (if applicable) to verify the number on their site, since a scammer could put up a real-looking website with that number listed.
NEOMED will never ask for your password. All password changes are handled through the NEOMED Self-Service Password Reset portal. If your account has been compromised, NEOMED IT will change your password immediately. If you are not contacted but you know or think you responded to a smishing text, use the NEOMED Self-Service Password Reset portal to change your password and then notify firstname.lastname@example.org.
If you have additional questions or concerns, please reach out to us. We are here to help, and as a reminder, Information Security Awareness training is available to all employees within the NEOMED Success Center.
We appreciate all that you do to keep our University safe and secure.
NEOMED Help Desk