What Exactly is Smishing?

---

Fishing with a Sandwich?
Smooching a fish?
A great new sushi item?
A new social media platform?

Yeah, I had no idea what this word meant until I told a colleague a story about a weird phone call, text message combination I received last week.

On Monday of last week, I was going about my day when I received a text message from a phone number that I did not have saved in my contacts. Receiving a text message like this is becoming less rare since different software manufacturers started using texts as a multi-factor authentication tool. I also receive text messages from my doctor, bank, veterinarian, and a host of other entities that my wife and I use in our everyday life. Being I was right in the middle of an excellent day-dreaming session (the above image is my workstation view), I decided to finish my thought before looking at the text. As things usually go, thirty seconds later, I had forgotten all about the text message and went on to another item that needed my attention.

Fast forward to the next day; my phone rings with another number not saved in my contacts. If this had been a few years ago, I would not have considered answering any call not saved in my phone, but the times are changing. With so many work associates working from home due to COVID and using their cell phones for business calls, I have had many mystery number phone calls turn out to be legitimate. After disguising my voice a little, in case it was a telemarketer, and answering, "Hello," I was greeted by a friendly representative saying hello and introducing herself. The young lady (I guess she was young) told me that she was calling from a software provider that I use and said that there was an issue with my billing account and that they had tried to reach me via text yesterday to correct the problem. Being very polite, I used the software in question, and I received the text message I asked if I could be connected to billing to correct my account. My thoughts would be to verify further that this was legitimate when speaking to the billing department. She nicely explained that, for my security, I should follow the link in the text message, which would allow me to sign in to my account and fix the issue from their website. She thanked me and asked if I had any other questions and politely said goodbye.

When I opened the text message, there was a shortened link for me to click, and when I did, it took me to a sign-in page. My internal "Spidey-Sense" started to tingle when I noticed that the sign-in page contained no branding for the software company. Indeed, no thieves are that elaborate to send me a text message and follow it up with a phone call the next day, or are they? I mean, the young lady spoke with no grammatical mistakes, was very friendly, and even refused to connect me to billing! To satisfy my paranoid side, I decided to sign in to the software from my computer using a Googled search result. Once I logged in and checked my billing and saw no issue, I knew this was something weird had new.

Welcome to Smishing!

Smishing uses social engineering in conjunction with text messaging to capture sign-in credentials. While the bad-actors also used a phone call, this is an example of smishing. These new schemes are highly significant because of the complexity of the social engineering. According to Norton Internet Security, "Social engineering is the act of tricking someone into divulging information or taking action, usually through technology. The idea behind social engineering is to take advantage of a potential victim's natural tendencies and emotional reactions."* Many, including mine, phone numbers are available with our names in many different places around the internet. Websites such as ZoomInfo, 411.com, whitepages.com, and the 'dark web' offer our personal and professional information for a price. My best guess is that the young lady who called me received my name and phone number from one of these website types. She then took a chance that I used the software company she spoke about, and by having my information, being polite, speaking with proper grammar, and would not connect me to a person to take my credit card information, she had me fooled. Thank heavens for that radioactive spider bite, or I would have entered my email address and password. Even worse, the sign-n form offered single sign-on using Google and Amazon. If I had used those, they would have had my passwords for those software platforms. Imagine my problems if I re-used the same password as my banking account.

While I am sure no one reading this re-uses passwords, this could be an opportunity for criminals to breach your facility's database. The average healthcare breach cost the hospital $13,000,000 per organization, plus the added costs of HIPAA fines.

Keeping your passwords, other personal information safe and protected from criminals should be a personal priority. Additionally, it is increasingly critical for the same individuals to heed data protection advice and use sound practices to keep your professional information safe and secure.

Unfortunately, today's cybersecurity environment protecting your personal credentials and information goes hand-in-hand with protecting your facility.

---

• * "What Is Smishing?". Us.Norton.Com, 2020, https://us.norton.com/internetsecurity-emerging-threats-what-is-smishing.html. Accessed 24 Sept 2020.

---