get the app
auth icon
BACK

What Is SMS Phishing (Smishing) and How to Protect Yourself

Katie

Katie

16 Sep 2024

More than 30% of fraud reports identify call and text as the initial contact method. Though there are other methods of contact, like email, fraud reports with phone and text as the initial contact method reported higher median loss of money per person. On average, people who were victims of a phone or text scam loss $1,000 to $1,480.

We're going to take a more in-depth look at phishing scams that start via SMS or text message, also known as smishing scams.

What Is Smishing?

Before we get into smishing, we need to understand phishing. You have most likely been targeted several times by phishing scams via email, phone calls, or text messages.

Phishing scams aim to gain access to your sensitive personal information by impersonating banks, trusted companies, and other organizations. These types of scams are sent en masse to millions of people. The scammers throw a wide net, hoping to trap as many victims as possible. The messages and calls will often create a sense of emergency, such as your bank account being used to make a suspicious purchase or an important package that can't be delivered without additional information.

When these phishing attempts are sent via SMS text messages, they are referred to as smishing (SMS-phishing).

Here is an example of a smishing attempt:

iPhone screenshot of a smishing attempt

Smishing scams will always be text messages that request information or a payment, and they will include a link to click on and enter your information.

The texts will imply that action is needed in order to prevent account closures or additional fines and fees. This strategy aims to make potential victims panic rather than stop to think about the legitimacy of the text.

How Smishing Attacks Work

As mentioned, smishing attempts are always sent via text. The text message will almost always claim to be from trusted institutions. You may have received texts claiming that they are from Bank of America or Amazon. In the example smishing scam pictured above, the scammer claims to be from Massachusetts Toll Services. In all smishing scams, it is common for the text to claim that it is from a well-known and trustworthy institution.

This tactic helps build trust in their victims. The smishing attempt will include a link to follow, a phone number to call back, or other instructions on what to do.

In addition to building trust through impersonation, we as consumers are also much less likely to question text messages and much more likely to open a text message than an email, making it easier for scammers to get their deceitful messages across. Text messages are so effective that they have a 98% open rate, compared to email open rates, typically around only 20%.

On top of all of this, the scammers will create a sense of emergency. Some samples of smishing texts are as follows:

  • Your package is waiting for delivery confirmation. Please provide shipping details here: [malicious link].
  • Alert: We noticed a login attempt from an unknown device. Please confirm it was you: [malicious link]
  • Your credit card has been used for a $2,500 purchase. If this wasn't you, please report immediately: [malicious link].

As you can see, the examples create a sense of urgency; you must act quickly to fix what has gone wrong. This prevents you from thinking carefully about the legitimacy of the text.

Types of Smishing Attacks

There are many types of smishing scams. These are some of the most common types:

  • Fake delivery notifications (often claiming to be from Amazon, FedEx, or UPS)
  • Bank fraud alerts
  • Government or tax scams (often claiming to be from the IRS or Social Security Administration)
  • Prize scams
  • Survey scams (an example can be seen pictured below)

iPhone screenshot of a potential survey smishing scam

How to Detect Smishing Scams

Detecting smishing scams can be difficult, but by staying calm and doing some research, you can make an informed decision about whether or not a text is legitimate.

Here are a few steps to follow the next time you get a suspicious or unsolicited text message:

  1. Stay calm. Don't reply to the message or click any links in the message.
  2. Verify who the sender is. If someone claims to be contacting you from Amazon, instead of replying, go directly to Amazon customer service. Most companies won’t text you unless you request it.
  3. Verify where the number is from. You can investigate the phone number online or with an app like CallerSmart Reverse Phone Lookup. Look up the phone number and check where it is from and what others are saying about it.

iPhone screenshot of user feedback in the CallerSmart app

How to Prevent Smishing Attacks

There are several easy ways to prevent smishing attacks. Here are a few best practices and some extra steps you can take:

Best practices:

  • Don't click on links sent in texts from phone numbers outside of your contacts.
  • Don't reply back to texts from phone numbers outside of your contacts.
  • Block suspicious phone numbers.

Extra steps:

  • Avoid using SMS for two-factor authentication (2FA). Instead, use an authenticator app like Google Authenticator or Authy.
  • Avoid sharing your phone number online or with untrusted services.

What to Do If You’ve Been Targeted by a Smishing Attack

If you’ve been the victim of a smishing scam, it’s important to act quickly. The first step is to stop replying to the scammer.

The next step is to change any passwords on compromised accounts. It's important to use strong and unique passwords for each account.

After securing your accounts, you should report the scam to the Federal Trade Commission (FTC) at ReportFraud.ftc.gov and the Internet Crime Complaint Center (IC3) at IC3.gov.

You should also report the scam to the organization or company that the scammer impersonated. This will allow them to warn other potential victims about the fraud.

You can also report the phone number in a community phone book, like ours, to let others know about the scam.

Lastly, you should keep an eye on your accounts for any unusual activity and stay vigilant. Scammers are constantly developing new strategies to trick victims into giving up information.

Don't feel alone; many people have been scammed, and it's important to talk about it and tell others. You never think it will happen to you until it does. This is why staying educated and aware of potential scams is essential. By sharing your experience, you might save someone else from being scammed.

Conclusion

There you have it. Smishing is a very common and lucrative scam; these texts will not stop, and scammers will continue to come up with new tactics.

Even though smishing scams are sophisticated and prevalent, they are also avoidable.

Remember to never click a link sent via text from someone not in your contacts, and never share sensitive information with someone not in your contacts.

Most importantly, share this information with others because the best way to prevent scams is to talk about it within your community. Ask others for their thoughts before you respond to a suspicious text, do research online to see what others are saying, and when in doubt, contact the company directly before responding to an unsolicited text.

By staying calm and educating yourself about scams, you can avoid falling victim to smishing attempts.

Other Blog