Social media managers beware: smishing scams

Dec 7

Recently, a headline from the Orlando NBC affiliate caught my eye: “Smishing: Cybersecurity expert warns of scams through text messages.”

If smishing is a new vocabulary word for you, it’s a mashup of the words “SMS” (aka text messages) and “phishing.” The article quoted cybersecurity expert Kevin Campbell, who warned about an increase in smishing attacks – fraudulent scams in which criminals send people text messages posing as popular companies like Amazon. The text messages generally include a link that unsuspecting people click. In many cases this link takes people to a seemingly legitimate website and asks them to enter their login credentials – which gives those login credentials right to the crooks. Think of it as phishing via text.

OK so first a December PSA not related to anything involving social media: everyone is doing everything online – particularly shopping – this year thanks to COVID. Please be extra wary of any request for any of your login credentials to anything. Your best bet is to go directly to the website in question and log in there to verify the request or contact the company.

Now back to social media. What does smishing have to do with social media?

Social media security experts including me recommend wholeheartedly that people enable two-factor authentication (2FA) for their social media accounts. We especially recommend this for people managing accounts on behalf of their companies. Generally speaking, enabling 2FA means that someone trying to log into your account needs something more than just the password. Often, the second piece of required information is a randomly generated code that is sent to you via text message. Someone needs both the password and the code to log in successfully, and the code expires after a certain amount of time.

In general, this is a good thing. More security is always a good thing. But that headline did cause me to pause. Social media professionals are now trained to expect some sort of communication via text message to log into accounts. And enabling 2FA means that we have all given our cell phone numbers to the social media platforms if they didn’t have them already. So it is not suspect to receive text messages regarding a social media account. And, if you are managing social at the enterprise level, you may have your cell phone attached to dozens of social media accounts. When I think back to my days at Cargill where we had hundreds of accounts, it was not uncommon for me to receive multiple text messages related to our accounts each day. Over the course of a busy work day with its crisis du jour, it’s easy to distractedly click on something that maybe you should not.

To be clear: I have not yet heard of a smishing effort resulting in a crisis for a big brand corporate social media account. But I also predict it’s only a matter of time. Those crooks are really sophisticated and clever.

So a word to the wise, especially for my poor overworked social media managers out there. Be extra suspicious of text messages – especially those that ask you to click a link and those you did not request. Vigilance is key all the time, but especially in December.