- Government entities like the IRS or HUD never use SMS text messages for communications. All official and legitimate communications always come through the United States Postal Service.
- Any SMS text message that asks you to reply to a form or asks for sensitive information is probably fake. Why would a trusted person or company ask you for your full name, address, or any other personally identifiable information, in bulk, through a text message? This is the setup for a scam.
- If the responses to your skepticism are met with any hostility, it is probably SMiShing. Commonly, threat actors will reply with “Why don’t you trust me?” or “Your friends have had success with me, why would you pass this up?” Real companies and friends do not follow this patterned behavior.
- Real businesses that use SMS text messaging for actual business typically ask for replies in simple terms. Like, reply “Y” to confirm your doctor’s appointment or “STOP” to terminate the text messages. SMiShing typically will use longer replies to conduct the attack, but be mindful – an attack may use the word “STOP” in the first message just to validate that someone is actually on the other side of the phone and willing to answer.
- If the SMS message has links that you do not recognize or solicits the installation of new applications, do not click on the link; especially on Android mobile devices. This is a way to potentially install malware or exploit a vulnerability and compromise the device.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.