Phone Security: Defense Against Smishing, Spear Phishing, and Spam
November 10, 2022
The Attack
Last week, many Biolans received malicious text messages on their personal cell phones claiming to be from Biola executives, such as Mike Pierce, Lee Wilhite, or Dave Grant.
Thankfully, most members of our community reported these messages and did not fall for the attack. Good job, team!
Here is an example of one of these fraudulent text messages:
Hello [Name]
What’s your availability at the moment?, I’m so tied up in an impromptu meeting right now, I would have preferred to call you but phone call is not allowed during the meeting and I need you to run an urgent task for me. Let me know if you can do this for me.
Best Regards,
Dave Grant
Chief Human Resources Officer
What is “Spear Phishing”?
Unlike common phishing attacks, these attacks were what we call spear phishing, which are phishing attacks that target specific organizations or individuals. They are also an example of CEO Fraud, which is when attackers impersonate an authority within a company: These emails were targeted at specific Biola employees who could have a business relationship with the impersonated executive.
This means that the attackers uniquely targeted Biola employees and did research on Biola personnel. Biola experiences spear phishing frequently, but this is the first large-scale attack that combined spear phishing, CEO fraud, and SMS messaging, or smishing.
What is “Smishing”?
Smishing is a type of phishing attack delivered via SMS message (i.e. cellular text message). Like all phishing, smishing is a type of social engineering attack. Social engineering is the act of manipulating people into performing actions or divulging confidential information.
Smishing has all the same marks as phishing, and should be treated the same way. The only difference is that it is delivered via SMS message (likewise, “Vishing” refers to phishing via phone call or voicemail).
How did they get my phone number?
Firstly, we have no reason to suspect that any Biola system or database was compromised by attackers. There are no signs that attackers stole employee’s personal phone numbers from a Biola system or service.
The disappointing truth is that attackers already have your phone number. This is why most people receive scam calls every day.
Two common ways attackers gain personal data is through malicious data breaches and insecure applications:
Data Breaches: Attackers buy and sell personal data in bulk on the dark web. Just last month, 327 million records from LinkedIn were posted on the dark web, including users’ phone numbers and employment information.
Malicious Apps: Many mobile apps available on Apple’s App store and Google Play harvest and share your personal information. This is why it’s always important to only use apps from trustworthy developers and carefully scrutinize app permissions to see what data the app is gathering.
Once attackers have your cell phone number, it’s only a matter of identifying where you work. In the case of the LinkedIn data breach, this information is often already available.
Attackers may use public information like the Biola website or Directory to learn about your department and where you work. Not all departments are publicly listed in the directory, but it’s important that some employee information is made publicly available to those who need it.
I received a suspicious text message. What next?
Stop! Don’t respond immediately. Remember that a strong sense of urgency is a warning sign. An out-of-the-blue text from Biola leadership is likely an attack.
Fortunately, all of the techniques you’ve learned to identify social engineering via email apply to SMS messages. Complete your annual information security training, hold your coworkers accountable to cybersecurity best practices, and review our articles on social engineering and phishing:
Phishing RePhresh - An overview of how to protect yourself from phishing.
Can You Spot the Imposter? - Examples of CEO fraud and spear phishing.
Don’t Be Manipulated by Social Engineering - An overview of social engineering.
They Know Who You Are - Explanation of targeted attacks at Biola.
Keep What’s Private, Private - Tips for protecting your information online.
If you are suspicious of a text message, contact the sender or their assistant through an alternate known channel of communication (e.g. if you know the individual, call or email them at a trusted number), or contact the IT Helpdesk.
If you were to respond to the message, the attacker would likely send you follow-up text messages containing malicious links that would attempt to steal your information or transfer malware to your device. On occasion, the attacker will indicate that they need you to purchase a gift card for them and send them the code. While this may seem like an obvious scam, it’s surprising what people might fall for when they’re feeling the pressure of talking to a supposed executive.
What else can I do?
Check to see if your information is compromised.
Several legitimate, trustworthy cybersecurity organizations scour data breaches to identify compromised accounts. You can look this information up publicly:
(Note that both of these services are only scouring publicly available lists. Attackers likely have additional data leaks that the public don’t know about.)
If your email address has been compromised, you should change your password for that email account if you haven’t recently done so, as well as any accounts that use the same password.
If your phone number has been compromised, you should be especially careful when reading unsolicited text messages. If you are receiving lots of spam, you may want to consider changing phone numbers..
Stop the Spam!
Biola is not able to stop attackers or scammers from sending unsolicited messages to your personal phone number. However, your phone service provider may be able to help.
If you are an AT&T, T-Mobile, Verizon, Sprint, or Bell subscriber, you can report text spam to your carrier by forwarding the text free of charge to 7726 (“SPAM”).
Additionally, the FCC is currently considering increased regulations that will hold telecommunications companies responsible for filtering spam calls and texts. Appeal to your elected officials that this issue is important to you!
California Attorney General’s Office, General Comment, Question or Complaint Form
File a complaint with the Federal Communications Commission
Thank you for your work to keep your phone, and Biola, secure.