Let’s Not Get Smished

You receive a text message that says, "Congratulations! You've won a prize. Click here to claim it!" You click the link and enter your personal information to receive your prize and congratulations - you’ve just become the next victim of smishing.

You may be familiar with phishing - emails that look legitimate, but are malicious attempts to get your personal information. But email isn't the only way hackers try to get your information. They can also use text messages to entice victims to click on links in scams known as “smishing.”

“OK, what is Smishing?”

Is this even a word? Yes! The word “smishing” has become a legitimate term that combines the words “Short Message Service (SMS)” and “Phishing”. The Oxford English Dictionary defines it as “the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.”

Scammers send out a text message which may contain a malicious link to your phone impersonating a trusted organization. If you click the link and provide your personal data, they will use it to commit fraud, hack into your other accounts, or sell it on the darkweb for profit. Smishing is on the rise - meaning scammers continue to be successful in tricking their victims into clicking the link and providing their data.

“So what do smishing scams look like?”

Scammers can use various phone number formats to mimic texts sent from a trusted person or organization to trick their targets. For example, scam text messages can come from a phone number of only a few digits, like the ones used by corporations to send promotions and advertisements, to a typical 10 digits or more.  Smishing scams can also come from an unknown or toll-free number, and in the latest scam trend reported by Verizon customers, your own phone number.

“How does smishing work?”

Similar to phishing scams, smishing is successful because it makes every attempt to appear legitimate while also adding a sense of urgency to the message to get victims to provide information. Scammers lead you to take action by responding directly to the text, calling their provided number, or clicking the link within the text message. The link can lead to a fraudulent website asking you to enter your login credentials or disclose sensitive information, or can install malware on your phone. Some common themes of smishing scams include, but are not limited to:

●      Financial services such as your bank ask you to provide your bank account information. Remember that the bank will never ask such details over a text message.

●      IRS or Social Security threatens to file a lawsuit against you and to call the provided fraud number urgently. Don’t forget that the IRS won’t ask for things electronically. They use paper mail.

●      Online Delivery Services such as Amazon, FedEx, and USPS provide a link to track your package or offer freebies when you do a survey. If you’re expecting a package, navigate directly to your order through your account or email, rather than clicking on text links.

●      Health organizations or government agencies claim you’ve been exposed to COVID-19 and provide a malicious link to order a test kit or book a free test. Make sure to check out covid-related scams for more details and awareness. 

“So, how can I avoid being smished?”

Do not respond

Avoid responding to a message sent from a suspicious phone number.
Even if it asks you to text “Stop” to opt-out, don’t do it since it may potentially alert the scammers that your number is active and working!

Do not click any suspicious links or attachments

Smishing texts usually include links that might trick you into downloading malicious software or navigating to a fake website that convinces you to enter your personal information.

Contact the associated Institution directly

If you ever doubt whether a message is legitimate, just call the institution using their customer service number to  get in touch with them directly.

Report all smishing attempts

You can report these fraud attempts to the authorities such as Federal Trade Commission (FTC) or Federal Communications Commission (FCC). You can also forward the scam text to 7726 (SPAM).

Interested in hearing more about what’s going on in the cybersecurity world? Make sure to read our other Approachable Cyber Threats (ACT) posts and subscribe to our ACT Digest to receive updates on the latest cybersecurity threats – straight to your inbox!

Follow us - stay ahead.

Read more of the ACT