The next time you receive an unsolicited text message, pause before opening it. Smishing combines short message service (“SMS”) and phishing and is performed via text or social media messaging. Depending on the cybercriminal’s focus and expertise, a smishing attack can trick an individual into entering their login credentials to a fake website, installing an app laden with malware, or simply responding to a text and providing their username and password. Notwithstanding the financial losses, a smishing attack can expose an individual’s personally identifiable information, resulting in the stress and inconvenience of identity theft.
How big of a problem is smishing?
According to Proofpoint, an enterprise security company, the volume of smishing attacks is growing at an alarming rate.
Voya’s S.A.F.E. guarantee
The ABA Retirement Funds Program (“Program”) is committed to safeguarding your participants’ financial accounts and personal information from the risk of fraud, cyber threats, and unauthorized activity. Through the Program, your participants have access to Voya Financial’s (the Program’s recordkeeper) S.A.F.E.® (Secure Accounts for Everyone) Guarantee. If any assets are taken from your participants’ retirement plan account due to unauthorized activity and through no fault of their own, Voya Financial (“Voya”) will restore the value of their account.
Protect yourself and your employees
As employees switch between personal and business devices, smishing is particularly beneficial for cybercriminals as it can unlock personal and business-related data. Anyone who uses a smartphone or exchanges messages via social media must be aware of the threat and take steps to protect themselves. Here are steps you and your employees can take:
Resist the temptation to act.
Smishing attacks urge individuals to act quickly before they can scrutinize the message and question its legitimacy. Before opening a text and interacting with it, you should pause and give yourself time to think. You should be especially wary of texts that mention security, limited offers, or legal issues, as they are often used to trigger action.
Businesses will not use texting to exchange sensitive data.
While texting is a routine activity, for security and compliance reasons, financial institutions do not use it to gather sensitive data. If in doubt, you should delete the message and contact your financial institution. If the message is legitimate and urgent, most institutions will follow up via other communication channels.
Do not store sensitive data on your device.
While many smartphones remain in an individual’s possession, such proximity provides a false sense of security. Sophisticated cybercriminals can use smishing to access the data stored on any device. You should exercise caution when storing personal data on your phone. For example, you should not store complete passwords, bank account numbers, social security numbers, or any other sensitive data you wouldn’t want anyone to access.
The magnitude of the losses associated with a smishing attack depends on the attacker’s skills and ability to use the data they steal. While you may struggle to delete a text message without opening it, that is often the safest way to act.
Share these tips with your employees to help them learn how to protect their accounts and identity.