Fishing with a Sandwich?
Smooching a fish?
new sushi item?
A new social media platform?
Yeah, I had no idea what
this word meant until I told a colleague a story about a weird phone call, text
message combination I received last week.
On Monday of last week, I was going about my day when I received a text message
from a phone number that I did not have saved in my contacts. Receiving a text
message like this is becoming less rare since different software manufacturers
started using texts as a multi-factor authentication tool. I also receive text
messages from my doctor, bank, veterinarian, and a host of other entities that
my wife and I use in our everyday life. Being I was right in the middle of an
excellent day-dreaming session (the above image is my workstation view), I
decided to finish my thought before looking at the text. As things usually go,
thirty seconds later, I had forgotten all about the text message and went on to
another item that needed my attention.
Fast forward to the next day; my phone rings with another number not saved in my contacts. If this had been a few years ago, I would not have considered answering any call not saved in my phone, but the times are changing. With so many work associates working from home due to COVID and using their cell phones for business calls, I have had many mystery number phone calls turn out to be legitimate. After disguising my voice a little, in case it was a telemarketer, and answering, "Hello," I was greeted by a friendly representative saying hello and introducing herself. The young lady (I guess she was young) told me that she was calling from a software provider that I use and said that there was an issue with my billing account and that they had tried to reach me via text yesterday to correct the problem. Being very polite, I used the software in question, and I received the text message I asked if I could be connected to billing to correct my account. My thoughts would be to verify further that this was legitimate when speaking to the billing department. She nicely explained that, for my security, I should follow the link in the text message, which would allow me to sign in to my account and fix the issue from their website. She thanked me and asked if I had any other questions and politely said goodbye.
When I opened the text message, there was a shortened link for me to click, and when I did, it took me to a sign-in page. My internal "Spidey-Sense" started to tingle when I noticed that the sign-in page contained no branding for the software company. Indeed, no thieves are that elaborate to send me a text message and follow it up with a phone call the next day, or are they? I mean, the young lady spoke with no grammatical mistakes, was very friendly, and even refused to connect me to billing! To satisfy my paranoid side, I decided to sign in to the software from my computer using a Googled search result. Once I logged in and checked my billing and saw no issue, I knew this was something weird had new.
Welcome to Smishing!
Smishing uses social engineering in conjunction with text messaging to capture
sign-in credentials. While the bad-actors also used a phone call, this is an
of smishing. These new schemes are highly significant because of the complexity
the social engineering. According to Norton Internet Security, "Social
is the act of tricking someone into divulging information or taking action,
through technology. The idea behind social engineering is to take advantage of a
potential victim's natural tendencies and emotional reactions."* Many, including
mine, phone numbers are available with our names in many different places around
internet. Websites such as ZoomInfo, 411.com, whitepages.com, and the 'dark web'
offer our personal and professional information for a price. My best guess is
the young lady who called me received my name and phone number from one of these
website types. She then took a chance that I used the software company she spoke
about, and by having my information, being polite, speaking with proper grammar,
would not connect me to a person to take my credit card information, she had me
fooled. Thank heavens for that radioactive spider bite, or I would have entered
email address and password. Even worse, the sign-n form offered single sign-on
Google and Amazon. If I had used those, they would have had my passwords for
software platforms. Imagine my problems if I re-used the same password as my
While I am sure no one reading this re-uses passwords, this could be an opportunity for criminals to breach your facility's database. The average healthcare breach cost the hospital $13,000,000 per organization, plus the added costs of HIPAA fines.
Keeping your passwords, other personal information safe and protected from criminals should be a personal priority. Additionally, it is increasingly critical for the same individuals to heed data protection advice and use sound practices to keep your professional information safe and secure.
Unfortunately, today's cybersecurity environment protecting your personal credentials and information goes hand-in-hand with protecting your facility.
- * "What Is Smishing?". Us.Norton.Com, 2020, https://us.norton.com/internetsecurity-emerging-threats-what-is-smishing.html. Accessed 24 Sept 2020.