“DO WHAT HAS TO BE DONE”
DISTRIBUTION:
This document is authorized for the
widest release without restriction.
“DO WHAT HAS TO BE DONE”
Report a crime to U.S. Army
Criminal Investigation Division
Cyber Field Office
27130 Telegraph Road
Quantico, Virginia 22134
Email
CFO Web Page
CPF 0002-2022-CID361-9H 5 January 2022
Smishing: Short Message Service Phishing
With roughly 290 million smartphone users in the United States,
cybercriminals have a target-rich environment. Anyone with a
smartphone, or possibly still with a landline, has likely received or is
familiar with robocalls and vishing attacks, which are voice phishing to
obtain personal information such as financial or credit card information.
The recommended course of action has been to ignore the call or
hang up and register the receiving phone number with the National Do
Not Call Registry through the Federal Trade Commission or block the
robocall or vishing number via the receiving smartphone.
Not a new tactic, but one increasing in popularity among cybercrimi-
nals, is smishing.
Smishing is very similar to phishing via email except the message is
received on a smartphone as a Short Message Service (SMS)
message, also known as a text. The message may include a link or re-
quest a reply with the cybercriminal goal to compromise the recipient’s
personal or financial accounts or obtain personal information to commit
fraud in the recipient’s name.
The smishing messages and scam topics cybercriminals can come up
with are endless, similar to the number of phone numbers the
cybercriminals can use and send to. Cybercriminals and scammers
are relentless, but remain vigilant and take the necessary steps to
avoid becoming a victim.
Common Smishing Attacks
Fraudulent Account Activity or Account Locked – The recipient
receives a message indicating their credit card or financial account
was fraudulently used or is locked. The message, which includes a
link to a site that may look like the web address to their financial
institution, leads to a mimicked website requesting the recipient’s
personal or financial information.
Prize Winner – Everyone likes to win a prize. Text messages indi-
cating the recipient has won a prize, even when the recipient has
not signed up for a contest, can be convincing. The cybercriminal’s
text includes a link to a legitimate looking prize website or asks the
recipient to reply with personal information to collect their prize.
Purchase or Package Delivery Update – A smartphone user,
whether a frequent online shopper or not, receives a text with a
purchase or package delivery update. The message includes a
somewhat suspicious link containing the legitimate name of an
online retailer or shipping company. Clicking on the link downloads
malware to the smartphone, possibly compromising the device, or
leads to a mimicked website requesting specific information from
the message recipient.
IRS Scam Messages – The new year, 2022, just began and from
now until April, everyone will be filing their 2021 taxes. Cybercrimi-
nals know this and will send out IRS themed messages about