Cybersecurity Awareness: SMS Phishing

Did you know that October is national Cybersecurity Awareness Month? The IT Division is releasing a series of educational tips and reminders to promote the importance of cybersecurity across Berkeley Lab. Be sure to also check out events and learning opportunities hosted by UC Berkeley and UCOP at https://security.berkeley.edu/cybersecurity-awareness-month-2021

Recently, the IT Division Cyber Security team noticed an increase in phishing attacks via SMS text message. Attackers are able to avoid email filtering by phishing via SMS messages  Phishing typically involves attempts to acquire or disclose personally identifiable information (PII) such as your username, password, and other sensitive information. The phishers would then steal your username and password to use on the real website or sell your information to other scammers. Real examples are provided below followed by recommended actions to take and instructions for reporting spam messages.  


Example 1:

In this example, the attacker sends a text from a fake address mimicking the name of a financial institution and alerts the user to log in with personal account information. 

Notice the domain of the sender and link do not match the institution’s official address. If you logged into this lnk, your bank credentials would be stolen. Legitimate companies will not ask for information about an account via SMS. Some links may point to a spoofed website which closely emulates the authentic version. Do not click the links. Contact the institution directly from their official website to verify the validity of messages. 

 

Example 2:

In the following examples, the attacker sends an SMS message from an unknown number and asks the user to follow a link to schedule or confirm a change in a delivery. 

Scammers craft these messages to trick you into clicking a malicious link which then sends you to a fake portal or may install harmful malware on your phone. Do not click the links and report such messages as spam. 


Example 3:

This example is similar to Example 2 but indicates the user receives a small gift for paying a bill. 

Attackers may make claims of problems with an account or promises of free gifts. It is common for scammers to send fake messages asking a user to take some action before claiming a package or a prize. Be skeptical of unexpected opportunities which sound too good to be true. Do not trust requests to share or confirm personal information via text.


Recommended Actions

  1. Take steps to ensure devices meet Minimum Security Requirements

  2. Follow IT guidance to help secure computers: Tips to Secure Your Computer.

  3. Stay up to date with Cyber Security Training requirements.


The best defense for these attacks is to be aware of the attack methodology, remain vigilant, and report anything suspicious. See the social engineering page for more tips on how to avoid phishing and other scams.

Report any suspected or known breach of personal information to [email protected] as soon as possible. For other related questions, please email [email protected] to open a ticket.


How To Report Spam Text Messages

Report it to the Federal Trade Commission at ReportFraud.ftc.gov.


Was this site useful for you? Do you have any feedback or suggestions? Please click here to send your comments about this FAQ to IT.