A Curious Case of CEO Smishing
This Smishing incident does raise a red flag – we do need to instruct our users to inform their family members and friends of the risk, since they could also be potential victims of fraud, not just the users themselves anymore…
Story by Roman, Sequentur`s CEO
What is Phishing/Smishing?
We all know phishing (a type of social engineering cyber-attack where a scammer impersonates a trustworthy figure to defraud the target into fulfilling the attacker’s request).
And some of us have heard of vishing (vishing is another common form of phishing that’s done through calls instead of written texts).
Smising (or SMS Phishing) is an attempt to impersonate legitimate brands or people that you trust, by using SMS, text messages, WhatsApp, Slack and now Teams.
Typically, instead of aiming for money, these attacks are often intended to make you click a link. This link might contain malware, or a fake website used to get sensitive data instead.
We had a run-in last week, where someone was impersonating me (see here) and texted literally all our employees and not only their unpublished Google Voice numbers, but even their parents and close relatives. It appears that the scammer’s mechanism is as follows:
- Harvest LinkedIn profiles for employee names/states
- Match the following with Facebook profiles
- Collect mobile numbers from Facebook
- Run a mass texting campaign and hope someone will respond
Results and Handlings
Since our team is extremely well drilled on security awareness/phishing, this smishing example was a low-risk attack, though still a risk.
We did reply to the attacker in a controlled fashion.
We found that this was an attempt to get victims to buy Google gift cards for “me” and send “me” their gift card numbers.
More on this type of attack and what to do if it happens to you here:
We had implemented an effective policy to only communicate between employees and contractors using Signal (a secure messaging app) – it is encrypted, and you cannot spoof (to imitate for the purpose of trickery) a phone number. (https://signal.org/en/).
This is one way to ensure nobody gets vished unwittingly in the future.
This incident does raise a red flag – we do need to instruct our users to inform their family members and friends of the risk, since they could also be potential victims of fraud, not just the users themselves anymore…
If you have any questions or want to know more, let us know. We are happy to help.
Roman Gruzdev, CEO