Threat actors are targeting T-Mobile customers in an ongoing smishing campaign with malicious links using unblockable texts sent via SMS (Short Message Service) group messages. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) issued a warning after multiple users have filed reports of being targeted by this new SMS phishing campaign.
"The messages vary but typically thank the recipient for paying their bill and offer a gift. The messages include a link to accept the gift," according to the NJCCIC, which operates within the state's Office of Homeland Security and Preparedness and deals with these types of incidents. “These links may lead to malicious websites intending to steal account credentials or personal information, or install malware."
Earlier this year in In March, an identical series of smishing attacks also targeted Verizon Wireless and Spectrum users, mimicking the carriers in text messages spoofed to appear like they were sent from the target's phone number.
The Federal Trade Commission also issued a warning to T-Mobile users to watch out for fraudsters sending them texts from their numbers.
"They’ve changed (spoofed) the caller ID to look like they’re messaging you from your number, but the shock of getting a text from yourself is bound to get your attention — which is what they’re after," the FTC said.
Cybercriminals using information from previous data breaches
The NJCCIC believes that the smishing campaign was likely made possible due to previous data breaches affecting the mobile carrier and millions of its users.
Since 2018, when info belonging to 3% of T-Mobile customers was stolen by hackers, T-Mobile has disclosed five other data breaches.
In 2020, T-Mobile employees' email accounts were compromised, and phone numbers and call records were accessed by unauthorized third parties.
NJCCIC meanwhile is advising T-Mobile users targeted by smishing campaigns to contact directly to official websites and avoid clicking links delivered in SMS text messages from anonymous contacts and refrain from providing critical details to unauthorized websites.
Additionally, the firm recommended users to mute the text thread to stop getting alerts if anyone replies. They can delete the message thread, too, although that won't stop new texts from arriving.