SMiShing Scam Seeks to Obtain Gift Cards by Impersonating Chancellor

A recent SMiShing scam targeted our institution by impersonating Chancellor Martin and asking recipients for gift cards. You can rest assured that the chancellor (or your supervisor) will not reach out to ask for gift cards. SMiShing is a type of attack that uses the social engineering tactics commonly associated with email phishing via text message. Impersonation is one of the most effective social engineering tactics used by scammers, and it can be particularly powerful when the person being impersonated is in a position of authority. Please watch out for scams like the one below, and practice a healthy degree of skepticism when you see these unusual requests. When in doubt, you can always reach out to the person being impersonated using known contact methods. You should never reach out by replying directly to the message, following any links in it, or using any contact info it contains.

Here are some helpful tips for avoiding a scam like this one:

1. Gift card requests are almost always a scam.
2. Requests to change where wire transfers are sent are almost always a scam.
3. Another common scam involves asking the recipient to wire money because the impersonated party is in a foreign location and lost their wallet.
4. Any time money or resource transfer is a part of a request, you should exercise extreme caution. There are many ways to transfer money and resources these days, so be on the lookout for scammers to attempt them all.
5. If you receive anything resembling what has been described above, it is best to reach out to the person, office, institution, etc. using a KNOWN contact method. Please NEVER reach out by replying directly to the message, following any links in it, or using any contact info it contains.

If you receive a SMiSh, the best action to take depends on the situation. Since they aren’t transmitted using systems that WashU IT manages, you will often need to reach out to your specific provider.

• If it’s clearly a fake, report it to your cellular service. In the US, most carriers ask you to copy and send the message to the number 7726 (SPAM). See https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages for more information.
• If you aren’t sure if it’s a fake, call or email the person using the number or email address you have from previous communications to verify the request.
• If you get a very vague and tentative message like “How are you?” or even just your name (or someone else’s) with a question mark, we recommend ignoring it or reporting it to 7726.
• It is risky to respond with a question like “Who is this?”, because the bad guys now know you’re there, and will try to engage you, first from the same number, but then in other ways from other numbers.
• If someone you know is trying to connect to you from a new number, it’s their obligation to properly identify themselves, explain themselves, and not ask you for gift cards.

Further Reading on SMiShing and other Alternative Phishing Techniques

• Scam of the Month: SMiShing and 3 Viruses Detected Scam | Office of Information Security | Washington University in St. Louis
• https://informationsecurity.wustl.edu/infosec-alert-smishing-detected-on-campus/
• https://informationsecurity.wustl.edu/whaling-smishing-and-vishingoh-my/
• Vishing | Office of Information Security | Washington University in St. Louis
• Phishing | Office of Information Security | Washington University in St. Louis