There has been a recent spike in SMiShing (SMS) Scams and targeted phishing attacks at universities across the country, including UWM. There has been an especially large increase in text message scams, so please review the information below to learn more about what they are and how to avoid them.
SMiShing (SMS) Scams
With SMiShing, a scammer sends you a text message (SMS). That message appears to come from someone within the University, or from someone you know, and it asks you to perform a task or to provide information. SMiShing is similar to email phishing but is done over mobile text-messaging. Here are some tips related to SMiShing Scams:
- Who’s it from? If you receive a text message claiming to be from the Provost, Chancellor, or another member of the Chancellor’s Cabinet asking you to do something that is unexpected or that seems out of character, be sure to verify that the message is legitimate before taking any action. The best way to verify the legitimacy of a given message is to directly call the sender. You may use the UWM directory to find phone numbers for people you do not know.
- Extreme urgency: Be cautious of any text message that urges you to reply quickly or to take action, even if the message appears to be coming from your supervisor or from other high-level UWM personnel. Urgency in text or email messages is a common tactic in both SMiShing and Phishing.
- Links you’re unsure of: Avoid clicking links sent to you from numbers you do not recognize.
- In response to an SMS message, never share over SMS your personal information (for example, login, personal identifying, financial details). UWM will never ask for sensitive information over a text message.
- COVID-19/recent events: Be cautious of any text message that references COVID-19 and asks you to follow a link. Scammers like to use current events to lend apparent legitimacy to their scams.
- What time was the text sent? Check when the text message was sent. If you received it at an unusual time, it is likely not legitimate.
- What to do? If you are concerned about a message you’ve received please reach out to the Office of Information Security. Staff members should remain vigilant and report any suspicious activity to infosec@uwm.edu.
Targeted Phishing Attacks
Phishing refers to when a scammer sends an email message in an attempt to trick you into revealing personal information that can be used to commit fraud. There have been cyber attacks that “spoof” our academic leadership at UWM via email. This means that you may receive an email from outside of UWM Gmail account (Example: ePanther.uwm@gmail.com), pretending to be someone from UWM leadership and spoofing their ePantherID (the Chancellor, the Provost, etc.).
In relation to SMiShing, after successfully phishing a UWM employee’s phone number, the attackers begin sending texts to the phished individuals in an effort to enlist them in a “gift card” scam: “I’m leadership, please buy gift cards and give me the numbers,” etc.
If, in response to a targeted phishing attack, a UWM employee has inadvertently released their phone number:
- a third party now has their name and phone number
- they should be alert to any unexpected messages and potential scams via text message
- they may want to use any features in their phone that allows them to block unknown callers
- oftentimes, the attacker will quickly give up if they do not receive any responses. If attempts continue they may want to contact their telephone service provider.
Any suspicious activity should be reported to the Office of Information Security at infosec@uwm.edu.
Additional Resources:
- How to Recognize and Avoid Phishing Scams
- Protect Yourself from “SMiShing”
- What is SMiShing & How to Defend Against It?
- Phishing Attacks Targeting Students