Ever received a text from an unknown number that had your hair stand up? Did it promise unrealistic gains or try to scare you into doing something? Well, you may have found yourself the unwilling recipient of a smishing attempt, aka a text message scam or phishing SMS.
So, what is a smishing text message, and how do you know it when you see it? Stick around as we unpack the ins and outs of text message scams, including key examples and the steps you can take to keep yourself protected.
Table of contents
What is smishing?
Smishing (or text message phishing) is a type of phishing attack using SMS. Scammers will pose as recognizable institutions and try to extract valuable information (banking details, account logins) by asking you to click on malicious links, download malicious programs/software, or reply with sensitive details.
SMS phishing attempts are designed to steal your personal or financial information or both.
Are text message scams on the rise?
Smishing is still on the rise. In April 2022 alone, an estimated 2,649,564,381 scam SMSes were sent out per week.
Proofpoint, a leading software security company, reported a 328% rise in smishing attacks in 2020, and according to EarthWeb, this figure has risen to 700% in 2022.
More than 3.5 billion people around the globe receive spam text messages daily. And the worst part? Less than 35% know if they’re falling prey to an SMS phishing attempt.
Here’s an overview of how SMS phishing works and the tools needed to combat the problem.
How does smishing work?
SMS phishing attacks come in all shapes and sizes, methods, and mashups. Still, they all share the same core characteristics: gaining your trust, getting you to part with sensitive information, and using that information against you.
In any given attempt, scammers will only need to follow the below blueprint:
- Create a malicious text, either standalone or infected with a malicious link;
- Get their victim to click on the link or respond with personal information;
- Take that personal information and use it to commit identity or bank fraud.
What are some examples of smishing in action?
Text message scams often prey on your emotions – a common technique in both SMS and email phishing attempts. By evoking a sense of fear, loss, or euphoria, the scammers are hoping you’ll drop your guard and part with valuable information.
Below you’ll find a few examples of popular text message scams in action.
-
Bank alerts
Money matters will always create stress and urgency, and scammers frequently use this approach to get you to make hasty decisions. Your “bank” will contact you with an urgent matter, i.e., your account has been compromised, suspicious activity has gone off, funds have been stolen, etc. The solution? Click on this link to fix the problem.
Pro Tip: Your bank will never send you a link or ask you to share your information over SMS. They’ll always ask you to log in to your account, phone support, or visit a branch instead.
-
Winner notifications
Hooray! You just won $500,000 in the Louisiana state lottery. Never mind that you recall no raffle entry and never set foot in the Pelican State.
Winner notification scams will ask you to click a link or send details to a specific email address to claim your prize. And they’re taking quite a toll — Americans have lost over $380M in lottery, sweepstakes, or inheritance scams in the past decade.
Pro Tip: any legitimate contest will email you or phone you. Heck, they may even roll up to your house with a giant check, but they’ll never send you an SMS asking you to click on a link, open an attachment, or phone a strange number.
-
Password resets
Scammers may reach out to you, posing as Google, Microsoft, or similar. They’ll tell you that your password or account has been compromised and that you need to reset it.
Pro Tip: All big software companies, suites, or search engines will require you to first log in to your account to change any information and will never send an open link over SMS.
-
Package delivery updates
Smishing scammers will pose as a legitimate eComm platform (think Amazon). They will alert you that your package is on the way and that you should follow the prompts for delivery status.
Pro Tip: Reputable platforms will always link back to their domain. If the link takes you somewhere else, you’re dealing with a smishing scam. Look out for spelling mistakes or strange URLs and visit the site to confirm the message’s validity.
-
Confirmation requests
You may receive a fake confirmation request for a parcel, online order, scheduled appointment, outstanding invoice, or similar. You’ll likely be directed to another site or webpage with a bogus information page, prompting you to add your details.
Pro Tip: Never click on anything that may divert you to another page. Instead, phone the service provider to verify the information or log in to your account online.
A few more examples of smishing in action
Here are a few more phishing SMS scams and scenarios to watch out for:
- The exiled prince, king, diplomat, or politician who urgently needs to send you money;
- The distant uncle’s inheritance that’s waiting for you;
- The tax authority claiming you’re eligible for a large refund;
- The IRS agent threatening to arrest you;
- The businessman with an opportunity of a lifetime.
You get the picture. While the messages take on many scenarios, they all have one key aim. “Click here, go here, and send this so we can steal your information or money.”
How are you targeted for an SMS scam?
It’s all a numbers game. Scammers will send SMSes to various numbers (per region and phone number code) and may even follow up with a potential spam call. They’ll then weed out the best targets by seeing who responds and clicks through to embedded links or files.
Most of the time, spam texts aren’t coming from another phone number. Cybercriminals will instead send them out from an email or instant automated messenger software to avoid detection and to hit as many targets as possible in the process.
What happens if you open a smishing text?
Nothing will happen if you open one or more fake text messages and read them. These texts may be one of the first steps of a SIM swap attack in action.
Make sure you don’t click on anything. Especially, don’t touch or open links that lead to shady websites.
Moreover, never open pictures or attachments!
Can you get hacked by responding to a text message?
If you don’t open any links or files, or provide personal information, then no. Simply answering a text will not get you hacked. However, it’s best to avoid them altogether. As the saying goes, curiosity killed the cat. Don’t be that cat.
What are the smishing strategies you need to know?
The below strategies and precautions will stop smishing attempts before they ever happen.
Never respond
Spam messages are infuriating. And while it’s tempting to give would-be tricksters a piece of your mind, it’s always better to stay silent. Replying to a fraudulent message will (a) let scammers know “you’re home” and (b) potentially trigger malware. So, never respond.
Always verify messages from “legitimate” businesses
For a scammer, getting hold of your credit card/banking details is the holy grail of smishing. And the best way to do this is to pose as a legitimate banking institution and/or business that you regularly interact with (insurance brokers, eComm platforms, etc.).
The bottom line is that if your bank contacts you and asks you to verify your account details or change your PIN over SMS, you’re running up against a smishing attempt.
Avoid giving out personal information at all costs, don’t engage, and contact your service providers when you’re unsure.
Never click on links or files in messages
If you get a message (from an unknown source) with a link and/or file attached, you can almost guarantee it’s infected. So, under no circumstances should you open it. These files and folders can send you to weird sites, bring malware, steal data, etc.
Treat new phone numbers with caution
Messages from abnormally long or extremely short phone numbers should be trashed immediately. Inspect every incoming SMS and make sure it stays within the ten-digit standard.
Keep your personal information private
This may seem obvious, but smishing scammers are masters of building trust. So, treat every SMS as a potential attack and never give out any personal information. Also, never store your banking details anywhere on your smartphone.
Use two-factor authentication
Always ensure that your mobile device has two-factor authentication (2FA). If your username or password is ever compromised, the added security layer (fingerprints or facial recognition system) will stop identity theft attempts in their tracks.
Get the right antivirus software
Last but arguably most importantly, use industry-leading antivirus software to protect yourself and your device from malware and text message attacks.
Final thoughts? Spot SMS scams before they spot you
The fact of the matter? Smishing will not be going away anytime soon. But knowing your enemy is half the battle won. Use the above preventive measures to the fullest, protect your identity at all costs, and never tell your friends you won $500,000 in the Louisiana state lottery.
FAQ
How do I prevent smishing?
Never respond to suspicious SMSes or send through personal information. Avoid clicking on suspicious SMS links, and always verify company requests directly. Remember to report spam text messages to the Federal Communications Commission or local authorities.
What is smishing used for?
Text message scams aim to steal your personal or financial information, including passwords and credit card details. Potential victims are sent SMSes that persuade them to divulge sensitive information by clicking suspicious links, downloading files, or replying over text.
Why do scammers use smishing?
Text message phishing is done to steal a victim’s data, bank account details, or both. More scammers are moving to SMS phishing because people tend to trust text messages more than emails, making it easier to steal information.
What is the main difference between phishing and smishing?
Both are cyber crimes where fraudulent messages are sent to extract confidential information. Phishing uses email, and smishing (or text message fraud) uses SMS as a delivery channel.