There’s a new warning from the FCC. Now, why this is a little bit crazy and why you're going to want to pay attention is because it's not normal for the FCC to put out these types of bulletins, so it's pretty important. Let's get into it right now.
The FCC just released an alert over these SMS phishing attempts that you probably get on your phone, known as smishing. For example, like phishing. Phishing is when you get an email that a scammer or a cybercriminal is trying to get you to click on or do something. In this case these are text messages. I got to imagine if you have a phone, you've gotten these text messages before. Now, these text messages can come from another phone number, or they can come from an email address. But there's a couple things you can do to start protecting yourself. In this blog there are some tips to let you know what you should do if you get one of these texts, because your carrier or your provider, like AT&T, Verizon, T-Mobile, they have systems in place where you can report these things.
Number one, smishing is effective because hackers trick individuals to enter sensitive information by crafting text messages about bank problems you might have, unclaimed bills, package delivery issues, and maybe law enforcement actions to kind of scare you. Their whole purpose of these texts, these messages, even phishing messages, are to elicit a response from you and invoke some emotion from you, get you scared, get you worried, create some alertness on your part to where you're going to respond to this.
So, the most successful campaigns are now using these things called website redirects, and that's just a fancy technical term for fake websites that look legitimate, right? This was talked on the Security Squawk podcast. This podcast is posted on YouTube and all the major channels, so if you want to check it out, it's Security Squawk. But in our podcast this week, we talked about the different tactics that these guys are using to not only steal your password using these fake websites, but also get your multifactor or 2FA code that's sent to your phone. They have ways of getting that from you too.
These cybercriminals are good at crafting these websites to look legitimate, to act legitimate. It makes you think, "Oh, well, I just put my username and password in. I got a two-factor code," when really there's just a lot of automation behind what these cyber criminals are doing. Also, they’re able to do things very quickly, like plug your real username and password into your bank website, so you get that two-factor code and then you give it to them on this fake website and then they get it. Then they would log into your real bank account by using that two-factor code you just sent them, because usually you have somewhere around five minutes to use that code before it potentially expires. So, really important stuff to remember there.
With credentials, account information, usernames, passwords, multifactor codes, these cyber criminals can gain access to your accounts. They can make fraudulent purchases, transfer money, steal your identity information, or simply sell access to your account to other cyber criminals on the dark web. That's all the different criminal activity we see behind these types of things. So, when you get these text messages and you're like, "Why did I just get this?" Well, that's why you just got it. They're trying to do something to steal or rip you off.
The other important thing to know about these text messages is if you simply click on them, that could be enough to cause trouble for you. Once they detect this and have a valid number or are able to reach you using their methodologies because you clicked on the link, you don't have to fill out any information, you don't have to give them an email address, a password. You just need to click on that link that they send you, and that usually triggers a couple things. That usually triggers these cyber criminals sending you more messages more frequently, because they know they have a person and they want to try to exploit you. They also turn around and they sell this to other cyber criminals on the dark web who want valid phone numbers. The text message could just be a test to see if you're a legit, valid phone number. If it is, they build a big database, and then they sell these numbers in bulk to other scammers and other cyber criminals.
This is what the FCC recommends, and each point that was in their bulletin will be described below. Also, you can check this out for yourself, but this is what cyber experts recommend that you do to not fall victim to these scams. Number one, do not respond to texts from unknown numbers or any others that appear suspicious. If you don't know who it is, don't trust it, don't reply to it. Never share sensitive personal or financial information by text.
Unfortunately, cyber experts see this often where people think they're conversing with somebody who they trust or know. This typically happens when these cyber criminals can take over an account that your friend or somebody in your family or somebody you do business with a lot, and they start using them to send these links and perpetrate these scams. Check out and make sure you're looking for misspellings or texts that originate from an email address. Texts can come from actual phone numbers, or they can come from email addresses. The email address ones can be a little hard to block, but here’s how you can also fix that.
Think twice about clicking on any links in a text message. If you really don't know who it was or you think it's odd that they sent that to you, you're not sure what it was about, it's better probably just to delete the text than anything else. As well, if a friend sends you a text with a link or it seems suspicious, seems like something that they wouldn't normally do, call them. Ensure that they weren't hacked, because you could be letting them know that somebody has access to their account, and they don't know that somebody has taken over their account.
If a business sends you a text and you weren't expecting, like, "Hey, call back this number," these are typical with Microsoft scams and phone carrier scams like AT&T. It'll say, "Hey, this is Amazon," or "This is AT&T trying to reach you about a failed payment," or "overdue bill, and call this number." What you want to make sure you do is you actually go to Google or go to that company's website and get the number from there. Don't call the number from the text message.
Remember, the government agencies almost never initiate contact by phone or text. It's usually a letter in snail mail, especially if it's coming from the Department of Justice, the FBI. They're not going to call you and tell you that you're going to be arrested in an hour if you don't reply. That doesn't happen, so be suspicious of those types of text messages.
Another thing you can do is forward the text message to a number that your phone carrier has, so simply forwarding the unwanted text to 7726 or SPAM will report it and they can do things on their end on their network to block those text messages. They can investigate where it's coming from to maybe shut down a large operation that's sending these things. So, sharing this information with them is critically important to curbing this and putting an end to this.
If it's bad or you have been scammed, file a complaint with the FCC. Make sure that they know that this crime using a telecommunications device has occurred, which in the United States is a felony. Whether you're in this country or not, sending that text message to somebody in the United States is technically a felony. So, you want to make sure that you report it to the authorities and make sure that they can conduct an investigation. It could be your tip that leads them to bringing down these criminal scamming, smishing, phishing cartels that are out there today.
Here at Xact IT Solutions, we continue to monitor this situation. It's ever evolving. If you ever need help with any of this, please contact us or drop a comment somewhere and we'd be happy to provide you some direction with this or help you out if you need it. But remember, smishing is a huge problem. The FCC doesn't put this stuff out lightly. When they do put things out like this, it's because they're detecting this type of activity and they're seeing a lot of crime around it. It's the same thing with the FBI. They do the same thing when they see and they're investigating a lot of crimes that involve these types of things. That's usually when they put out these bulletins. They don't just put them out as a feel-good measure.