Fraud Management & Cybercrime , Fraud Risk Management , Social Engineering

FTC Warns: SMS Phishing Scam Impersonates State Agencies

Millions of Smartphone Users Nationwide Are Targets
FTC Warns: SMS Phishing Scam Impersonates State Agencies
(Photo: Oleg Magni/Unsplash)

The Federal Trade Commission has issued a warning about a new smishing scheme targeting millions of smartphones nationwide that impersonates state workforce agencies in an attempt to obtain personal data.

See Also: The Dangerous Intersection Between OFAC And Ransomware

The FTC says fraudsters are impersonating the employment and labor agencies to dupe users into clicking malicious links portrayed as forms for refiling or verifying unemployment benefits. Security experts say the campaign is the latest example of how phishing is moving to SMS, which can potentially affect corporate networks as more workers use smartphones.

"These scam phishing texts are aimed at stealing personal information, unemployment benefits or both," warns Seena Gressin, an attorney at the FTC.

Gressin says malicious links in the text messages send targeted victims to impersonations of state agencies, where the fraudsters attempt to harvest personal information for identity theft.

"Know that state agencies do not send text messages asking for personal information," Gressin says. "If you get an unsolicited text or email message … don't reply or click any link."

Erich Kron, former security manager for the U.S. Army’s 2nd Regional Cyber Center, says these SMS attacks will persist in the months ahead, impeding enterprise security efforts. As a result, organizations must continue training employees on social engineering tactics and create mechanisms for users to promptly report phishing messages, he adds.

Kayne McGladrey, an advisory board member for the Technology Alliance Group NW, warns that these scams can be effective when highly targeted. He says the schemes work when supporting larger campaigns underway prior to any SMS outreach.

Phishing Attacks Soaring

The FTC's warning comes as phishing attacks continue to be a top vector for cybercriminals targeting remote workers. Enterprise end users who rely on BYOD devices and fall victim to smishing attacks can open the door to intrusions that can potentially cripple corporate networks.

The security firm Egress says that, based on a poll of IT leaders, 73% of organizations fell victim to successful phishing attacks in the last year.

Phishing/smishing and other social engineering tactics were the top digital threat by victim count in 2020, according to the FBI’s Internet Crime Complaint Center. Of the various internet crimes tracked by the FBI, phishing placed higher than extortion, credit card fraud and other schemes.

Phishing Indicators

In guidance issued in 2020, the Cybersecurity and Infrastructure Security Agency offered security tips about smishing/phishing. CISA stressed that the integration of email, voice, text messages and web browser functionality in socially engineered attacks increases the likelihood that users will fall victim.

The agency outlined common indicators of smishing/phishing attempts, which include: suspicious sender, generic greetings and suspicious links that may be used as a malware delivery mechanism.

The Federal Communications Commission has also warned that smishing campaigns can be highly effective because of a different level of perceived trust over mobile devices. The agency advises smartphone users to:

  • Never click links, reply to text messages or call back when receiving messages from unrecognized numbers;
  • Do not respond to suspicious inquiries shared via text, even if the message requests users "text STOP" to end communication;
  • Validate suspicious texts purportedly from companies or government agencies by searching official websites and communicating separately.

About the Author

Dan Gunderman

Dan Gunderman

Former News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covered governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or CSHub.com, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as NorthJersey.com, Patch.com and CheatSheet.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.