TL;DR Quick Action: When a professional receives a Smish, report it to your cellular carrier by forwarding the message to 7726 (SPAM), then delete the message.



Background and Action


Many individuals have recently received and reported unsolicited messages on their mobile devices asking them to reply or take some other action that seemed suspicious. While these messages might be new to Connor Group, this method of Phishing is not. 


"Phishing" (pronounced ‘fishing’) is the malicious act of sending messages, usually emails, posing as someone else in an attempt to have the recipient perform some action that would compromise themselves or the company. 


“Smishing” is a form of phishing, except performed over mobile messaging. Smishing is the combination of the acronym ‘SMS’ (SMS, or Short Message Service is the technical term for texting) and the word ‘phishing’. 

 

Receiving a Smish can generate a few questions: 

  • How did the malicious actor get my phone number? 
  • How do they know I work for Connor Group? 
  • Does receiving a Smish mean I’ve been compromised?

 

Good news; being the target of a Smish doesn’t necessarily mean you’ve done anything wrong or that your account has been compromised. 

 

Being a consumer of the internet generally means sharing personal information with other companies. That shared information is exposed by default and in other cases is stolen in data breaches from the same companies that asked for your information in the first place. This means a good deal of data about each of us exists on the internet and is available to whomever is willing to search, steal, or pay for it. This has not gone without notice by malicious actors, who aggregate this data to create attack profiles. Add in breaches from multiple companies who inadvertently exposed private client information and over a billion users in 2020 alone had their names, physical addresses, email addresses, and phone numbers exposed (https://blog.ariacybersecurity.com/blog/the-top-10-most-significant-data-breaches-of-2020). 


All this means we can count on more attempts to leverage your personal information to persuade you to:

  • click a link
  • enter account information
  • disclose sensitive data over the phone 
  • text for nefarious purposes. 


When you receive a Smish, please treat it the same way you would a suspect email; don’t interact with it. The message can be reported to your cellular provider by forwarding the message to the text address 7726 (the Phoneword SPAM) and delete it.