Smishing Alert

“Smishing is a form of phishing that uses mobile phones as the attack platform. The criminal executes the attack with an intent to gather personal information, including social insurance and/or credit card numbers. Smishing is implemented through text messages or SMS” (Re: TrendMicro)

Smishing example

What is a Smishing attack?

You receive a text message, or several text messages, telling you to click a link to provide the verification code to complete your login to a personal online account. However, you haven't attempted to login to the named account (examples: DMV, banks, hospital, insurance, Uber, content streaming service, etc.). This strongly indicates that someone—a criminal or criminal enterprise—is trying to login to your account, instead.

How can this happen?

Somehow, your user credentials for the account (username, password) have been compromised due to a data breach of the organization’s network.

What to do?

  1. Unless you have attempted to login to the named account, Do Not Click the Link in a Text Message.
  2. If the unexpected text message involves your financial institution, check your statement for unusual/unexpected activity.
  3. Be prepared to change your password for that account (consider using a good passphrase).
  4. Do NOT use antivirus or security freeware!
    Whatever security/antivirus software you use, pay the subscription fee for the complete toolset and keep it up-to-date.
  5. Keep your device operating system up-to-date.

What about websites that use Multi-Factor, or Two-Factor, Authentication?

Navy Federal Credit Union

NFCU uses Two-Factor Authentication. However, the member must choose whether to have the verification code sent either via Text or Email message, and that message is only sent when the member clicks the Send button.

US NCVA

Our website uses Multi-Factor Authentication. However, the verification code to complete your login can only be sent via email to the email account you specified when you setup your website Profile.

Our website will never send SMS, or text, messages to anyone about anything.

Also, no personally financial information is stored on the database for our website. When you login and click the link to pay your dues online, you are sent to PayPal; whether you have and use a personal PayPal account or pay using your bank or credit card, those data are stored and managed by PayPal using extremely strong encryption and an extremely expensive SSL certificate.