Smishing

For someone who considers himself a modestly eloquent wordsmith, I learned a new word recently: Smishing.

I am sure most of you are familiar with the term phishing, which refers to fraudulent emails or messages, often masquerading as being from a reputable source, with the sole purpose of obtaining personal or financial information.

Smishing, on the other hand, is like phishing but specifically when done through an unsolicited SMS (text) message.

Why am I educating you on something that sounds like it came right out of a Dr. Seuss book?

Recently one of my clients received a message from what seemed like the United States Postal Service, but was in fact a smishing expedition. See the image above. Come to think of it, I've received a few of those types of texts recently as well.

With all of us receiving lots of brown paper packages tied up in string during this Christmas season, this could be an easy thing to fall for. But lucky for us, we're smarter than those Smishers out there.

What to look out for?

In looking at the example above, here are a few clues that things might be awry:

• The phone number the text was received from does not look like a standard United States phone number.

• The text asks the recipient to reply and follow a link. It's a little fishy (smishy?) anytime you're asked to click or follow a link.

• The link seems legit at first glance but contains a few extra letters near the end that should raise the hair on the back of your neck.

If you go to the USPS website they describe these types of smishing scams and how they differ from the normal practices of the USPS.

These things work for a reason

This particular client explained that they have received these types of messages multiple times before, and the first instance this happened, it was legitimately from the USPS. In that first case, the text message stated that the package was undeliverable for x reason and was being held at a facility where the person would need to come by and pick it up.

In the smishing example shown above, the package was similarly said to be undeliverable and they asked for an updated address. Tricky tricky.

In other phishing/smishing instances, the sender often uses the actual logo of the company being impersonated and includes accurate information or tries to cite a legitimate reason for contacting you. For example, back at the beginning of the year, there was phishing scam that seemed to be from the U.S. Social Security Administration, which used a real-world recent change in Social Security statements to target people.

How do we know what's true anymore?

I agree that it can be a scary world out there.

Recently a family member bought what seemed to be used-like-new Apple AirPods which came in the normal Apple box with a cord and the extra earbuds, and were identical to Apple AirPods down to the fine print saying 'Made by Apple' with the correct logo and everything.

These 'airpods' were in fact fake, discovered by an Apple store employee who looked up the serial number when the airpods were acting glitchy. Just like phishing/smishing scams, the perpetrators are smart and play on our familiarity with logos, real-life scenarios, and good timing (like USPS scams around Christmas).

So what can we do?

The best advice I can give you is constant vigilance! That was a little Harry Potter reference for ya. But truly, awareness is the best practice, always pause and think before clicking any link or sharing any personal information.  

If you do need to share personal or financial information with a company/website, make sure it's the real deal. Ideally you would be using a password manager that would only offer up the login credentials if it's the right website. And furthermore I always advise using multi-factor authentication whenever possible.

Not that this USPS text is the best-disguised smishing scam we've ever seen, but it is a timely and relatable one. So there you have it, a little PSA to remind us all to be vigilant during this busy holiday season.