What is Smishing? How To Spot It and Protect Yourself From It

If you’ve ever received a suspicious text from an unknown number pretending to be someone you know, or some company you do business with (say, your bank or phone company), you might have witnessed the beginnings of a smashing scam. Smishing is a type of phishing where scammers send fraudulent text messages to unsuspecting users in order to scam them into providing personal or financial information.

Smishing scams go to great lengths to deceive users into clicking on malicious links or providing sensitive information, such as passwords or credit card details. The goal of smishing scams is usually to get the recipient to download malicious software, take part in a fraudulent transaction, or provide their personal data.

What Is Smishing?

The word “smishing” is a combination of the two words: “phishing” and “SMS.” In other words, it refers to phishing scams by SMS (or text). Smishing is categorized as a form of social engineering scam. This depends on deceit and exploiting people’s trust, as opposed to a technical exploitation.

In other words, smishing is a scam where attackers deceptively pose as someone the recipient believes they can trust. This way, the recipient willingly hands over their personal information to the scammer.

Scammers usually obtain user data in one of two ways:

1. Downloading malware — In this case the scammer will send a URL link that tricks you into downloading malware (malicious software), such as an app. In the process, users generally have to then create an account on the app, where they input all of their personal information.
2. Visiting a malicious website — Smishing text messages often include a link to a website, which is typically a fake website that mimics a trustworthy site (e.g., your bank or credit card provider). After clicking the link from the text message, it then asks users to input sensitive information in order to verify their identity.

One of the most common types of smishing scams is scammers pretending to be your bank and asking for sensitive information, such as your Social Security, account or PIN number. Giving away your information essentially gives cybercriminals access to your bank balance. And depending on the information that they steal, they may also be able to use this to apply for loans or credit in your name.

How Does Smishing Work?

Cybercriminals use various methods that mimic legitimate text messages from banks and other financial institutions. For example, they might send a message saying that your bank account has been compromised. To obtain control over your compromised account, you need to click a link in order to reset your password. Once the user clicks on the link, they may be directed to a malicious website that can infect their device with malware designed to steal data or take control of it.

How Smishing Uses Social Engineering

Smishing relies on the principles of social engineering, where cybercriminals trick a victim into giving them their personal information. It’s a highly manipulative tactic that depends on three key factors: context, emotion, and trust.

Here are the three factors of social engineering:

1. Context — A smishing text must appear to be legitimate in order to be effective, so there has to be a degree of context or relevancy. For example, it wouldn’t make sense if a bank you don’t use sent you a text saying your account had an issue. But it might make sense if the bank you do use sent an SMS alert about your account.
2. Emotion — Smishing scams play on fears and emotions to drive action. Typically the smishing texts will have a sense of urgency or create a sense of fear. For example, it might say that your account has been compromised or funds are missing. With a victim’s emotions heightened, their critical thinking skills diminish and they’re more likely to take the smishing bait. B
3. Trust — Because smishing scammers pose as legit individuals, businesses and organizations, and often build out web pages that mimic the real organization’s website, people trust that their text is real and so they fall for the scam.

Ultimately, cybercriminals are looking to trick you into handing over your personal information. The main way in which they do this is by sending a text that includes a URL link. Upon clicking said URL, the victim is then prompted to provide their personal information or account details.

Common Types of Smishing Scams

Here are the most common types of smishing scams to be aware of:

• Fake deliveries — One of the most types of smishing scams is the fake delivery scam. This is where you receive a text that says it’s from a shipping company like FedEx or UPS saying that they made a delivery attempt, but it failed. And so it shares a link for the recipient to reschedule their delivery. From there, they are asked to provide a bunch of personal information in order to reschedule the fake delivery.
• Urgent warnings — Another common type of smishing scam is where cyber criminals send a seemingly urgent message warning them that one of their accounts is in jeopardy, has been compromised, or that something will be canceled if the recipient doesn’t reply.
• Fake surveys — It’s the classic survey scam, but via text. It happens when people are encouraged to complete a survey in exchange for a prize. Note that these days fake survey scams are often masquerading as political surveys.
• Tax scams — There are a couple of common ways in which tax scams happen. One is that people are sent a smishing text saying that the recipient owes the government money (even after filing their tax return). The other happens when the cybercriminal sends a text saying that the recipient is actually entitled to a larger refund.
• Gift card scams — In this case, scammers send texts saying that the recipient is the lucky winner of a gift card or prize. Naturally, the recipient must click the provided URL link and provide their personal information to claim their “prize.”
• Malware-embedded texts — Last, but surely not least are the smishing texts that contain a URL link to a website that installs malicious software onto the recipient’s phone.

Smishing Example

Smishing texts can span a range of different scams, from delivery scams to tax and survey scams. However, while there are a number of different smishing scams, they all follow the same format more or less. To start, it will come from an unknown phone number (oftentimes a 4-digit number). It will claim to be from someone or some organization you likely know, such as your credit card provider, FedEx, the government, etc… However, their number won’t be the same as any of these.

In the text, it will either offer you something or say if you don’t take action something bad will happen For example, your package won’t get delivered, you’ll lose your appointment, you’ll miss a payment, etc… And of course, it will contain a URL link that it wants you to click on.

For example, here’s a recent smishing scam I received on my phone:

How to Protect Yourself Against Smishing Attacks in 9 Ways

There are a number of easy ways to help protect yourself from smishing attacks. Awareness is your number one protection against smishing. By being aware of what smishing is, how it works, and what it looks like, you can avoid becoming a victim. You can also change your phone’s settings to further filter and block incoming texts from unknown and suspicious numbers, and so much more.

Here are nine ways to help protect against smishing attacks:

1. Learn how to spot a smishing scam

The best way to avoid becoming a victim is in learning how to recognize a smishing scam. After all, you won’t fall victim if you know it’s a scam from the start. For example, strange phone numbers such as 4-digit numbers are often a sign of a scammer as they’re usually email-to-text services, which make it easy for scammers to send out a mass volume of texts at once.

2. Update your phone’s settings to block texts from unknown senders

Most mobile phones offer features that can help filter or block texts from suspicious or unknown senders. By activating these features, you can help prevent smishing texts. While this method isn’t foolproof, it can greatly reduce the number of smishing texts you receive, which decreases your likelihood of falling victim to them.

Here’s how to filter smishing text by operating system:

How to block smishing texts on an iPhone:

1. Go to your phone’s Settings
2. Scroll down and select ‘Messages’
3. Find the ‘Filter Unknown Senders’ option and use the toggle to turn it on

How to block smishing texts on an Android:

1. Go to your Messaging app
2. In the upper right-hand corner of the screen, click the three dots icon
3. Choose ‘Settings’
4. Select ‘Spam Protection’
5. Swipe right to turn on the ‘Enable Spam Protection’ feature

If you’re struggling to find these settings on an Android, your phone may not have the option as not all Androids have the Spam Protection option. If this is the case, there are spam filtering apps for Androids that can help. Additionally, many wireless carriers offer extra protections and filters.

Major carriers that offer additional spam protection services:

• Verizon Call Filter
• AT&T Call Protect
• T-Mobile Scam ID, Scam Block, Name ID
• U.S. Cellular Call Guardian

Contact your wireless carrier for more information on available services and how to further protect your phone from smishing attacks.

3. Do not respond to unsolicited texts  

Never engage with a potential cybercriminal. Attackers may use prompts such as asking you to text “STOP” to unsubscribe as a way to determine which phone numbers are active. Even though this doesn’t give them any personal information, it does give them the green light that your number is active–which will keep it on the list of numbers to target.

4. Never clicks links in texts

Do not click on URL links shared via text–even from friends and contacts. The reason is that an individual’s phone may get hacked and send out fake messages containing malware or malicious software.

5. Do not store credit card information on your phone 

If you want to prevent your banking info from being stolen from your phone, simply don’t put your banking info on your phone. In other words, don’t use a digital wallet as it increases your vulnerability as it makes it easier for cybercriminals to access your accounts. And because of this, having a digital wallet may also make you more of a target to cyber criminals.

6. Protect your passwords with multi-factor authentication (MFA)

In the case that an attacker gets your password (e.g., in a password breach), your accounts would still be protected if you use multi-factor authentication (MFA). This is because with MFA an attacker would need a second verification “key,” such as two-factor authentication (2FA), which they won’t generally have by virtue of having access to your password.

7. Never send passwords, PINs or account recovery codes via text

Do not share your passwords or two-factor authentication recovery codes via text message with anyone. Even if you trust the recipient, by sending this sensitive (and highly coveted) info by text, you’re increasing your odds of compromising this info.

8. Install an anti-malware app

For added protection, use an anti-malware app. For example, apps like the free Kaspersky Internet Security app help protect against malicious apps, including smishing scams.

9. Report any smishing scams to the FTC

Smishing scams are bound to land in your inbox, and when they do, report them to the FTC Report Fraud line This helps these cybercriminals get caught and in return, helps to put a stop to smishing scams.

What to Do If You Become a Victim of Smishing

If you’ve fallen victim to a smishing attack, you’re not alone. In fact, millions fall for smishing scams every year. The good news is that there are a number of things you can do to help prevent the cybercriminal from stealing more of your information–or money.

To start, contact the bank or organization in which your information was stolen under the guise of and report the scam. Change all of your passwords and PINs to help prevent the cybercriminal from accessing your accounts, and freeze your credit to prevent the cybercriminal from applying for new lines of credit in your name.

Here’s what to do if you have been a victim of smishing:

1. Contact your bank or financial institution where your personal information was stolen to report the smishing scam. This can help the institution protect your account, as well as take action and let their customers know that they’re is smishing scam posing as the institution.
2. Change all of your passwords and PINs and monitor all of your accounts closely.
3. Freeze or lock your credit with the three major credit bureaus in order to prevent identity theft or fraud. For more information and to learn how to freeze your credit, check out our article on what is a credit freeze.
4. Contact any other organizations where your information may have been compromised and take appropriate action.
5. Report smishing scams to the FTC Report Fraud hotline to further help put a stop to these types of attacks in the future.

It’s also worth monitoring your accounts and credit reports following a smishing attack to help identify any issues quickly, should they arise.

Bottom Line

It might sound like an easy scam to avoid, however, scammers are becoming increasingly savvy and it can be very difficult to decipher between a legitimate text and a smishing scam. Unless you are absolutely sure that the text is from who you think it is, do not click URLs in texts. In the instance where you receive a text from a bank or one of your providers and you’re concerned it might be legit, skip the text and call the organization directly to check on your account.

Frequently Asked Questions (FAQs)