Fishing with a Sandwich?
Smooching a fish?
A great
new sushi item?
A new social media platform?
Yeah, I had no idea what
this word meant until I told a colleague a story about a weird phone call, text
message combination I received last week.
On Monday of last week, I was going about my day when I received a text message
from a phone number that I did not have saved in my contacts. Receiving a text
message like this is becoming less rare since different software manufacturers
started using texts as a multi-factor authentication tool. I also receive text
messages from my doctor, bank, veterinarian, and a host of other entities that
my wife and I use in our everyday life. Being I was right in the middle of an
excellent day-dreaming session (the above image is my workstation view), I
decided to finish my thought before looking at the text. As things usually go,
thirty seconds later, I had forgotten all about the text message and went on to
another item that needed my attention.
Fast forward to the next day; my
phone rings with another number not saved in my contacts. If this had been a few
years ago, I would not have considered answering any call not saved in my phone,
but the times are changing. With so many work associates working from home due
to COVID and using their cell phones for business calls, I have had many mystery
number phone calls turn out to be legitimate. After disguising my voice a
little, in case it was a telemarketer, and answering, "Hello," I was greeted by
a friendly representative saying hello and introducing herself. The young lady
(I guess she was young) told me that she was calling from a software provider
that I use and said that there was an issue with my billing account and that
they had tried to reach me via text yesterday to correct the problem. Being very
polite, I used the software in question, and I received the text message I asked
if I could be connected to billing to correct my account. My thoughts would be
to verify further that this was legitimate when speaking to the billing
department. She nicely explained that, for my security, I should follow the link
in the text message, which would allow me to sign in to my account and fix the
issue from their website. She thanked me and asked if I had any other questions
and politely said goodbye.
When I opened the text message, there was a
shortened link for me to click, and when I did, it took me to a sign-in page. My
internal "Spidey-Sense" started to tingle when I noticed that the sign-in page
contained no branding for the software company. Indeed, no thieves are that
elaborate to send me a text message and follow it up with a phone call the next
day, or are they? I mean, the young lady spoke with no grammatical mistakes, was
very friendly, and even refused to connect me to billing! To satisfy my paranoid
side, I decided to sign in to the software from my computer using a Googled
search result. Once I logged in and checked my billing and saw no issue, I knew
this was something weird had new.
Welcome to Smishing!
Smishing uses social engineering in conjunction with text messaging to capture
sign-in credentials. While the bad-actors also used a phone call, this is an
example
of smishing. These new schemes are highly significant because of the complexity
of
the social engineering. According to Norton Internet Security, "Social
engineering
is the act of tricking someone into divulging information or taking action,
usually
through technology. The idea behind social engineering is to take advantage of a
potential victim's natural tendencies and emotional reactions."* Many, including
mine, phone numbers are available with our names in many different places around
the
internet. Websites such as ZoomInfo, 411.com, whitepages.com, and the 'dark web'
offer our personal and professional information for a price. My best guess is
that
the young lady who called me received my name and phone number from one of these
website types. She then took a chance that I used the software company she spoke
about, and by having my information, being polite, speaking with proper grammar,
and
would not connect me to a person to take my credit card information, she had me
fooled. Thank heavens for that radioactive spider bite, or I would have entered
my
email address and password. Even worse, the sign-n form offered single sign-on
using
Google and Amazon. If I had used those, they would have had my passwords for
those
software platforms. Imagine my problems if I re-used the same password as my
banking
account.
While I am sure no one reading this re-uses passwords, this
could be
an opportunity for criminals to breach your facility's database. The average
healthcare breach cost the hospital $13,000,000 per organization, plus the added
costs of HIPAA fines.
Keeping your passwords, other personal information
safe
and protected from criminals should be a personal priority. Additionally, it is
increasingly critical for the same individuals to heed data protection advice
and
use sound practices to keep your professional information safe and
secure.
Unfortunately, today's cybersecurity environment protecting your
personal credentials and information goes hand-in-hand with protecting your
facility.
Comments
Leave a Comment