In collaboration with the Office of Private Sector (OPS), the FBI San Francisco Field Office has recently issued a report highlighting a surge in “smishing” attempts. Smishing (or SMS text phishing) is a fraudulent practice where text messages trick individuals into divulging sensitive information. This can range from personal and financial information to company-specific data and employee credentials.
These threat actors often pose as fellow employees or company leaders to persuade recipients to share sensitive data. This information can then be used for various criminal activities, including financial gain, further breaches at a company, or even targeting other employees.
Two notable instances reported in 2022 involve threat actors impersonating the CEOs of U.S. companies. Employees received text messages asking them to click on or forward links or even purchase gift cards from a local store. Additionally, multiple companies have reported smishing campaigns directing employees to enter their credentials into a phishing website.
One particularly concerning development is the emergence of “phishing kits” sold online, enabling people to launch phishing attacks quickly. In fact, one such kit was found to have the potential to harvest up to 1500 credentials per day.
We need to be vigilant and aware of these threats. Here are some indicators of potential smishing attempts:
- Text messages or phone calls from unknown numbers claiming to be a coworker.
- Requests to purchase gift cards or similar tasks with no prior conversation between employee and individual claiming to be a coworker.
- Unknown phone numbers provide URLs via text and ask the receiver to click on or forward them to additional individuals.
- Phone calls from unknown numbers claiming to be someone from the company and attempts to solicit additional identifying information about the University.
To protect ourselves and our K-State community, we must:
- Be suspicious of unsolicited phone calls, texts, and emails from unknown individuals claiming to be part of the organization.
- Verify the person’s identity through official company channels before engaging with them.
- Avoid clicking or sharing anything in an unsolicited email or text message.
- Be cautious about sharing personal or University information over the phone without verifying the caller’s identity.
- Limit the amount of personal information shared on social networking sites.
If you receive a suspicious text message or phone call, note the phone number and who the person is claiming to be, and report this information to abuse@ksu.edu.
Thank you for your attention to this matter. Together, we can keep our K-State community safe from these threats.
