How to handle calls or texts from an unknown number
At the University of Utah, contact tracing plays a key role in helping to slow the spread of COVID-19 — as do the actions of every student, faculty member, and staff member. While this effort is a vital part of our community’s coronavirus response, criminals can also take advantage of the contact tracing process to gain access to personal information.
To help protect you and your privacy, the Information Security Office (ISO) wants to remind you how to handle calls and text messages from unknown numbers, seemingly legitimate numbers that aren’t part of your contact list or numbers that have been spoofed (faked) — all of which could be “smishing” (phishing via text messages) or “vishing” (phishing via phone calls) attacks.
What is phishing, smishing & vishing?
Phishing is a scam designed to steal your information or passwords, compromise your devices or trick you out of money — typically via deceptive emails, text messages, posts on social networking sites, pop-up windows in your browser, or phone calls.
Phishers may ask for your name, account information, date of birth, Social Security number, address, or other personal information.
Smishing and vishing follow a similar pattern, attempting to use fear or urgency to trick you into giving important information away. Just like email, spoofing (or faking) a phone number is incredibly easy — so even if the number appears legitimate, it may not be.
FCC consumer resources: COVID-19 scams, including text message campaigns and robocalls, prey on virus-related fears. Learn how to avoid them.
To help you differentiate between scams and legitimate contract tracing efforts, we spoke with Page Checketts, manager of the U’s contact tracing team.
Checketts said her team members follow a very specific outreach protocol. In the event you may have been exposed to someone who has tested positive for COVID-19, they will call you and send an email to your university email address (e.g., uNID@utah.edu). They may also attempt to contact you via text message (SMS). Given concerns about answering calls from unknown or unrecognized numbers, the contact tracing team will always provide details about how to contact them.
Checketts also noted that one of the biggest issues that her team runs into is voice mailboxes that are full. Emptying your voicemail inbox and responding to her team’s messages are two simple ways you can help the university’s contact tracing effort.
If you believe you have been contacted by a university contact tracer and would like to confirm their identity, you can email the contact tracing team at email@example.com.
The Federal Communication Commission (FCC) also offers these tips to avoid smishing/vishing:
- Only answer calls from known numbers. If you answer a call from an unknown number, hang up immediately.
- If you answer the phone and the caller or recording asks you to select a button or number to stop receiving the calls, you should just hang up. Scammers often use this trick to identify potential targets.
- Do not respond to any questions, especially those that can be answered “yes” or “no.” By responding “yes,” you’re informing robocallers that your phone number is active. They then might sell your number to other telemarketers, leading to more unwanted calls. Criminals also may record your answers and use the recordings to impersonate you, such as authorizing charges to your credit card or account.
- Never give out personal information, such as account numbers, Social Security numbers, maiden names, passwords, or other identifying information in response to unexpected calls/texts or if you are suspicious of the caller/sender.
- If you get an inquiry from someone who says they represent a company or government agency, hang up and call the organization using the phone number from your account statement, the phone book, or its website to verify the authenticity of the request. You will usually receive a statement in the U.S. mail or email before a phone call from a legitimate source, particularly if the caller asks for a payment.
- Use caution if you are being pressured to divulge personal information.
- If you have a voicemail account, be sure to set a password for it. Some voicemail services are preset to allow access if you call from your own phone number. A malicious actor could spoof your phone number and gain access to your voicemail if you do not set a password.
Remember, the University of Utah and University of Utah Health will never ask you for your username or password. If you receive a call or text message requesting this information, do not respond and report it to firstname.lastname@example.org.
For additional tips to help keep you and your personal information safe, please visit security.it.utah.edu/training.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.