3 Ways to Deal with SMS Phishing

Elizabeth Huebner As marketers we have become very familiar with the term phishing, a fraudulent attempt made to steal personal information. Primarily these attacks occur via email, appearing to come from a well-known organization asking for personal information – such as a credit card number, social security number, account number or password. However, as we expand our marketing communications in the digital space, we need to be cognizant and proactive in educating our customers of potential opportunities for phishing to expand into SMS communications.
With SMS currently serving as one of the most popular non-voice communications, the majority of its users perceive their mobile devices to be innately safe. However, “SMiShing” attacks (phishing via SMS) have rapidly increased over the past few months, with large retailers such as Best Buy, Target and Walmart being used as primary hooks. Within the past two weeks alone, I have received two various SMS messages stating something like:

Your entry last month has WON! Go to the following URL and enter your winning code: 1122 to claim your FREE $1,000 Best Buy gift card!

This SMS is an example of a recent SMiShing message I received. Viable/real SMS from a brand for a contest or other communication should always come from a registered 5-6 digit shortcode that you have previously opted-in to receive messages from.

Luckily, I knew something was suspicious given I had not entered any sweeps recently. But, what about “new to mobile” customers or those who entered a sweeps that coincidentally your organization may be awarding a $1,000 gift card? There are a few steps we can take to treat SMS spam as we’ve learnt to treat potential email spam:
Address Personal Information Concerns
Stress to customers your organization and partners value and protect personal information by implementing appropriate security and safety measures. SMiShers do not build lists by tapping into the brand’s mobile number opt-in database, it’s typically completely random. They will acquire lists of phone numbers from anywhere they can or generate them randomly via computer. Only when someone clicks or responds will they know if they have a viable mobile number from their master list.
Be Transparent
If you’re running a sweepstakes, official rules always include information regarding how the prizes will be awarded. In addition, show customers examples of messages they will be receiving from you or place a greater emphasis on the information by highlighting it in the creative or other placed besides the rules, which few seldom read.

Provide Educational Response
Actively promote that customers should never click on links or respond to text messages unless it comes from your short code. If customers do reach out to express concern, they often do so via email or social media channels. Have educational communications prepared to quickly respond to their concerns, such as:

Your personal information is secure with our organization through the appropriate security measures. We notify all winners via the following channel and unfortunately the message you received was not from our organization and is a “SMiShing” attack. We advise you do not click on the link or respond to the message and instead, call your service provider to request the number (often not a short code) be blocked from delivering messages in the future. In addition, submit a report to the Better Business Bureau.

By following the steps above to be proactive, you can ensure advancement within the digital space will be more successful and encourage customers to continue to participate in your mobile programs.

One Trackback/Pingback

  1. […] my previous blog post (3 Ways to Deal with SMS Phishing), I discussed how marketers can address the threat of SMS Phishing messages by addressing personal […]

%d bloggers like this: