The FBI has issued a warning to iPhone and Android users: beware of smishing.
Smishing attacks are fraudulent text messages sent via a phone's SMS — short message service — which are meant to trick recipients into revealing personal information, like their passwords.
The term smishing is a combination of SMS and phishing, the latter of which describes deceptive or manipulative schemes intended to get people to give up sensitive information, often through email scams.
A phishing email might appear to be from a company like Amazon — using the company's logo and even containing some links back to the website — but may be sent from someone looking to steal their login information or credit card number. Typically, a link will be included in the email that allows scammers to collect information from the recipient or access their machines.
Similar scams are happening over text messaging.
According to Bleeping Computer, an information security and technology news site, cybercriminals have registered more than 10,000 domains to push the text scams.
If someone receives a suspicious text, they should delete it immediately and never click on any links included in the messages, according to cybersecurity experts.
One widespread smishing campaign has been plaguing New York residents. In that scheme, scammers have been sending texts claiming to be from the city of New York informing residents that they have unpaid parking tickets. The texts include a link to a Google form made to look like the city of New York's Department of Finance Parking and Camera Violations log-in portal.
If a recipient fills out the form, they're then prompted to fill out a page with their personal information, including their full name, birthdate, zip code, email, and personal phone number. All of that information can then be used by malicious actors to try to gain access to people's emails, bank accounts, or other sensitive accounts by using password reset and account recovery tools built into nearly all secure websites.
A report from cybersecurity firm Palo Alto Networks' Unit 42, its research division, found that numerous malicious domains tied to the scam were used by Chinese cybercriminal groups.
The Federal Trade Commission has issued guidance concerning the scams, noting that legitimate U.S. toll services and delivery companies would never redirect to foreign domains.
The agency also warned that falling for the scams not only puts people's finances at risk, but also makes them targets for potential identity theft.
The FBI has advised that anyone who receives a suspicious text should file a complaint with its Internet Crime Complaint Center — commonly known as the IC3 — and provide details about the phone number and the nature of the text.
Targets of the scams should also visit the legitimate toll service's website or contact their customer service representatives directly to check on any outstanding payments. In other words, don't click the link in the text — go to their website on your browser or call them directly.
Victims of these scams should act immediately to secure their accounts and dispute any unauthorized transactions using their information.
