SMS Phishing Scam Impersonates State Agencies

The Federal Trade Commission has issued a warning about a new smishing scheme targeting millions of smartphones nationwide that impersonates state workforce agencies in an attempt to obtain personal data.

See Also: Live Panel | How Organizations Should Think About Zero Trust

The FTC says fraudsters are impersonating the employment and labor agencies to dupe users into clicking malicious links portrayed as forms for re-filing or verifying unemployment benefits. Security experts say the campaign is the latest example of how phishing is moving to SMS, which can potentially affect corporate networks as more workers use smartphones.

“These scam phishing texts are aimed at stealing personal information, unemployment benefits or both,” warns Seena Gressin, an attorney at the FTC.

Gressin says malicious links in the text messages send targeted victims to impersonations of state agencies, where the fraudsters attempt to harvest personal information for identity theft.

“Know that state agencies do not send text messages asking for personal information,” Gressin says. “If you get an unsolicited text or email message …. don’t reply or click any link.”

Erich Kron, former security manager for the U.S. Army’s 2nd Regional Cyber Center, says these SMS attacks will persist in the months ahead, impeding enterprise security efforts. As a result, organizations must continue training employees on social engineering tactics and create mechanisms for users to promptly report phishing messages, he adds.

Kayne McGladrey, an advisory board member for the Technology Alliance Group NW, warns that these scams can be effective when highly targeted. He says the schemes work when supporting larger campaigns underway prior to any SMS outreach.

Phishing Attacks Soaring

The FTC’s warning comes as phishing attacks continue to be a top vector for cybercriminals targeting remote workers. Enterprise end users who rely on BYOD devices and fall victim to smishing attacks can open the door to intrusions that can potentially cripple corporate networks.

The security firm Egress says that, based on a poll of IT leaders, 73% of organizations fell victim to successful phishing attacks in the last year.

Phishing/smishing and other social engineering tactics were the top digital threat by victim count in 2020, according to the FBI’s Internet Crime Complaint Center. Of the various internet crimes tracked by the FBI, phishing placed higher than extortion, credit card fraud and other schemes.

Phishing Indicators

In guidance issued in 2020, the Cybersecurity and Infrastructure Security Agency offered security tips about smishing/phishing. CISA stressed that the integration of email, voice, text messages and web browser functionality in socially engineered attacks increases the likelihood that users will fall victim.

The agency outlined common indicators of smishing/phishing attempts, which include: suspicious sender, generic greetings and suspicious links that may be used as a malware delivery mechanism.

The Federal Communications Commission has also warned that smishing campaigns can be highly effective because of a different level of perceived trust over mobile devices. The agency advises smartphone users to:

• Never click links, reply to text messages or call back when receiving messages from unrecognizable numbers;




• Do not respond to suspicious inquiries shared via text, even if the message requests users “text STOP” to end communication;




• Validate suspicious texts purportedly from companies or government agencies by searching official websites and communicating separately.