Gone smishing: Scams move to the workplace

Ignore the gift card request from your boss (and ours).

Francesco Carta fotografo / Getty Images

By Sherry Qin | Morning Brew

Two days after Jack Appleby joined Morning Brew as a creator, he received the following text: “Hello Jack, I’m in a conference right now, can’t talk on the phone but let me know if you got my text. Thanks.” It was signed “Austin Rief” and, in case you didn’t know, he’s the CEO of Morning Brew.

Appleby wasn’t the only Morning Brew employee to get the text—dozens more reported receiving similar ones. If someone responded to the text, the sender would usually ask for gift cards, promising to pay them back later. The texts weren’t actually from Rief. Morning Brew, like so many workplaces across the country, had been a victim of a smishing scam. (Rief eventually sent a companywide Slack message letting everyone officially know that he wasn’t sketchily asking his employees for gift cards or cash.)

A combination of SMS and phishing, smishing uses compelling text messages to trick recipients into sending money or personal information.

It’s not just Morning Brew: The numbers of targeted companies and people are staggering. A report from Proofpoint showed that smishing attacks more than doubled in the US in 2021. Data from the Federal Trade Commission (FTC) shows that 378,119 fraud reports were filed in 2021 involving text messages. Of those thousands of reports, consumers lost a total of $131 million to smishing texts with a median loss of $900. (Many scams go unreported to the FTC.)

“Once you hand over the gift card number and PIN, the money is gone,” Ari Lazarus, a consumer education specialist with the FTC, wrote in a consumer alert last year. Luckily, Morning Brew employees didn’t lose any cash.

These fraud schemes come in different varieties. Some claim to be the IRS while others might ask for Netflix payment info. Covid-19 scams, in which fraudsters offer bogus treatments or tests in exchange for personal information, were another common trick in 2021. But like all scams, smishing had to evolve. Now smishers are pretending to be people you know and trust, like your boss. With more employees using their personal phones for work purposes, many smishing attacks to your personal line have a workplace component.

Data breaches of users’ personal information, from your name and job information to phone number, have been a long-running concern. In 2020, a cybersecurity company found that hackers had sold over 186 million voters’ identifying information. In April 2021, over 500 million Facebook users’ phone numbers were leaked on a hacker forum for free.

The best way to avoid falling for such smishing scams is to pause before clicking on any links or responding to an unusual text. “Verify who is sending you that information. It’s very easy to do. If you’re getting unsolicited texts, do what I do: Delete them,” Aaron Rouse, an FBI special agent in Las Vegas, said.

In the meantime, if you get a text from your boss (or our boss) asking for a gift card, you should probably ignore it.

—Sherry Qin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s