CISO Update #37
Beware of Smishing

Everyone has heard of “phishing” but what is “smishing” all about? “SMS” phishing attacks, also nicknamed “smishing”, are phishing messages that appear as text messages on your mobile device.  Just like with email phishing attacks, the criminals masquerade as government entities, tech support representatives, financial institutions, or most recently reported: food delivery or meal kit services. 

Meal kit delivery services like Hello Fresh, Blue Apron, and others became increasingly popular during the COVID-19 pandemic. Data released from Nielsen showed meal-kit sales grew nearly 19 percent in 2020 as a result of the pandemic.  As with anything else, scammers are taking advantage of this by spoofing meal kit delivery services and sending phishing emails and SMS based phishing text messages (smishes) to unsuspecting customers. Security experts say smishing is on the rise and one reason for the increase is that people are more likely to trust text messages than phone calls or emails. 

An example of a malicious text message looks like this:

“Your Gousto box is now delivered,” the phishing message read. “Enjoy the reoipej! Rate delivesy and enter wrize diaw at ‘URL’.”

The example above is riddled with typos and contains an urgent call to action, both obvious red flags. The goal is to drive users to a malicious website site and trick them into entering their personal data.

How can you protect yourself?

  1. Many of the same rules to protect yourself from traditional email phishing attacks can be applied to smishing attacks. Review the 4 Don’ts.

  2. Never trust smishing text messages even if they use your name to appear friendly and familiar.

  3. Never respond to suspicious text messages, even if the message says you can "text STOP" to prevent future messages. Any response on your part will confirm for the scammers that the number is in use—and you'll just be inviting more texts.

  4. Pay attention to the number the message comes from. Unknown numbers or 11-digit long numbers starting with a local area code, such as +44, are often associated with scam texts. Large reputable corporations will generally send text messages from short-code numbers.

  5. Install antivirus on your mobile devices for extra protection. Sophos Antivirus offers a free mobile product. Learn more here.

About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit and stay tuned for emails from for the latest from the Cybersafe campaign at FIT. Read past issues here.