Threat actors continue to use SMS text messages in phishing campaigns to steal users’ personal data, account information, and funds. SMS-based phishing (SMiShing) may be more effective than email phishing as these messages are viewed on a mobile device, making it more difficult for users to identify potentially malicious communications. This threat is compounded by businesses and organizations’ legitimate use of text messages for notification and outreach purposes. Users may also be fatigued by the number of text messages they receive and act on a message by clicking a link or responding impulsively. SMiShing messages typically claim to come from a well-known business or organization – such as Amazon, FedEx, UPS, Netflix, or the IRS – and request that the recipient click on a link, often to access a promotion, obtain information about a package delivery, or address a problem with their account. Links may be included within these messages that, if clicked, lead to fraudulent websites that capture user credentials, steal funds, or deliver malware (image 1). These messages may also request sensitive information from the user that could facilitate identity theft or account compromise.

There has been a recent increase in other SMiShing campaigns in which a user receives a text message from an unrecognized number that contains verbiage similar to “Hey! How have you been?” The threat actors behind these campaigns seek to garner a response from the recipient. Responding may lead to a conversation in which the user is lured into a scam, such as a gift card scam (image 2), or the threat actor may simply be attempting to confirm that the phone number is active. Attempts to garner a response from the user are also used in bank impersonation campaigns, coercing the user to reply to avoid fraudulent activity on their account without requesting information or prompting them to click on a link (image 3).

The NJCCIC advises users to avoid responding to unsolicited text messages or contacting the sender’s phone number or any unverified phone numbers mentioned in these messages. Also, refrain from clicking on links or providing sensitive information in response to such messages. Instead, we recommend manually typing the official URL into your browser to navigate directly to online accounts. SMiShing attempts can be reported to your mobile carrier, the FTC, and the NJCCIC, or forward the message to 7726 (SPAM).