A recent FBI report smishing attempts, which send text messages purporting to be from employees or company leadership to induce individuals to reveal personal information. Actors conducting this scheme typically try to elicit financial information, personal identifiable information (PII), credentials, or details about a company and/or its employees. The criminal threat actors in these instances are attempting to solicit and/or steal various types of information which could be used for financial gain, further intrusion at a company, additional targeting of employees, or other criminal acts.
There has been an uptick in reporting of these schemes and there have been recent similar smishing attempts,[1] including at least one instance in which an individual marketed a ‘phishing kit’b enabling the purchaser to harvest credentials. Below updates and provides examples building on the TLP-AMBER FBI LIR "Trend in Cyber Criminals Using Vishing Campaigns for Financial Gain" dated 10 December 2020, which describes techniques used in vishing campaigns and possible mitigation efforts.
- In mid-2022, a US company reported multiple employees received SMS text messages from someone purporting to be the company CEO. Some of the text messages requested employees click on links or forward the links to the CEO.
- In mid-2022, a second US company reported U.S. based employees were receiving text messages purporting to be the company’s CEO. The text messages appeared to greet the specific employees and indicate the messages were from the CEO who was in a conference and could not talk on the phone. When one employee responded asking how they could help, the unknown sender said they had a task for the employee and asked the employee to confirm if they could get gift cards from a nearby store.
- From mid-late 2022, multiple other U.S. companies have reported smishing campaigns directing employees to enter credentials into a phishing website.
- One victim company reported a vendor found an alleged threat actor posting stolen credentials online and advertising a ‘phishing kit’ for sale which purportedly could harvest up to 1500 credentials per day.
Indicators: An indicator alone does not accurately determine fraudulent activity; private sector partners should evaluate the totality of the suspicious behavior and other relevant circumstances before notifying security/law enforcement personnel. The following suspicious activities/indicators include, but are not limited to any individual, group, or business; observe these indicators in context and not individually:
- Text messages or phone calls from unknown numbers claiming to be a coworker or executive within the company.
- Requests to purchase gift cards or similar tasks with no prior conversation between employee and individual claiming to be executive or coworker.
- Unknown phone numbers providing URLs via text and asking receiver to click on or forward to additional individuals.
- Phone calls from unknown numbers claiming to be someone from the company and attempts to solicit additional identifying information about the employee or company.
Potential Mitigation Strategies: Private sector partners should regularly conduct security awareness training for all employees on subjects to include vishing, smishing, and phishing schemes, social engineering, and other solicitation techniques. Employees should be suspicious of unsolicited phone calls, text, and email messages from unknown individuals claiming to be part of the organization.
- When you receive a suspected smishing message, try to verify the identity of the person through official company channels prior to engaging with the sender.
- Don’t click or share anything in an unsolicited email or text message.
- Be cautious about sharing any information about yourself, the company, or coworkers in a phone call when you cannot verify the identity of the caller.
- If you receive a suspicious text message or phone call, take note of the phone number and who the person is purporting to be and report this information to your company’s security team.
- Limit the amount of personal information you share on social networking sites. Only post information you are comfortable with anyone seeing.
Private sector partners should report any smishing, phishing, or vishing attempts, with or without financial or data loss. If you believe your organization to be a victim of a fraud or scam, please contact your local FBI field office and report details regarding this incident to the Internet Crimes Complaint Center at https://www.ic3.gov.
The FBI’s Office of Private Sector disseminated this LIR; please direct any requests and questions to your FBI Private Sector Coordinator at your local FBI Field Office: https://www.fbi.gov/contact-us/field-offices
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] SMS text phishing (smishing) is the criminal use of text messages to convince a victim to provide personal or financial information, click on or forward a UR leading to site designed to steal personal, financial, or credential information, or download a malicious file.
Comments