Question: What is Smishing?
Answer: Smishing is phishing done through text messages, plain and simple. Often, smishing messages are easier to spot than phishing emails because most of us don’t often get texts from unfamiliar phone numbers and receiving links in texts is less common than receiving links in emails. Another reason they are often easy to spot is that smishing messages will often come from a bank or financial institution, but banks will not text you – unless you set up Text Banking, and even then *you* have to initiate the texting conversation with specific commands to receive specific information, and they won’t include any links for you to click on in the texts.
Take a look at this suspicious text a friend of ours just received from Wells Fargo.
Our friend is very security aware and knew immediately that this was a smishing attempt. She laughed at it and went to delete it, but not before we asked her to send it to us so we could show you.
How exactly did she know it was not a real text from Wells Fargo? She admitted she does have an account with them, after all.
Let’s review the facts:
- Her account with Wells Fargo is her mortgage account, not a regular banking account, and in any written communications with her refer to it as her Wells Fargo Mortgage account. In the two years of having a mortgage with Wells Fargo, she had never received a text message from them before. So it was suspicious right off the bat.
- The address from the which the text came did not match the domain in the link in the text. Wells.net vs. wellsfargo-plan.com, neither of which are the correct URL for Wells Fargo (which she is very familiar with, from paying her mortgage online every month through their secure website).
- What is oiqtpk? A professional, legitimate institution would not have such ridiculous, gobbledy-gook as their “from”. (What? Gobbledy-gook is totally a technical term!)
- If her account had actually been suspended, or was on the verge of being suspended, she would have (a) seen notifications in her account when she went to pay her mortgage, (b) and received a warning email about it that would have instructed her to visit the Wells Fargo website, login to her account and look at the reason for suspension. Financial institutions, including banks and places like E-bay and PayPal, won’t ask you to click on links in emails. They will ask you to type in the URL to your browser and login, if there really is a problem.
We want to say “Kudos!” to our friend for exercising such strong security awareness. Keep up the good work!
Latest posts by The Security Awareness Company (see all)
- NCSAM Launch Pad - September 12, 2017
- The Summer of Security - June 13, 2017
- How can YOU Help Build our 2017 & 2018 Development Roadmaps? - June 1, 2017