What does smishing mean?
"Smishing" is an SMS or text message scam that steals users' data. In a smishing scam, the victim receives a text message from someone posing as an organization they trust, like their bank. The message encourages the victim to click a link or share sensitive information, like their credit card number. Clicking the link might install malware (malicious software) on the victim's device that steals their data. The term "smishing" combines 2 other terms: SMS (which stands for "short message service" and refers to text messaging) and phishing. Phishing is a scam that works the same as smishing, but it uses emails instead of texts. Below is a list of sensitive information smishing scams often ask victims to send them: Date of birth Social security number Home address Credit or debit card information (including PINs) Bank account information (including your bank account number, routing number, and answers to your security questions) Account numbers and usernames Passwords and PINs that grant access to your mobile device, computer, email address, and other accounts
How Smishing Attacks Work
Smishing scammers use social engineering to prey on victims. Social engineering is a way of manipulating people to do what you want by using psychological tricks. Smishing text messages are carefully designed to make victims feel compelled to respond to them or click on the malicious links they contain. They do so by posing as trustworthy organizations or people, providing a reasonable context (like tracking a package or verifying bank fraud), and triggering people's emotions. For example, someone receives a text message telling them a suspicious transaction is pending on their credit card. The message tells them to click a link to investigate the transaction and cancel it if it isn't theirs. The victim decides to click on the link it contains because: They trust that the text is from the bank. They think a suspicious transaction is a good reason for the bank to contact them. They're afraid that the transaction will process through their account and they want to stop it.
Smishing attacks work because people read and trust their texts. According to one report, consumers are 35 times more likely to open a text than an email! Texts are simply easier to view and read, plus they offer the fastest real-time communication. And once a victim opens a smishing text and reads it, the social engineering aspect of the scam immediately starts to take effect.
Types of Text Messaging Scams (with Examples)
Bank or credit card fraud texts In this scam, the victim will receive a text telling them about a suspicious transaction that came through their bank account or credit card. The text may ask the user to click on a link to cancel or confirm the transaction. By clicking the link, they might accidentally download a virus onto their phone. It may also take them to a fake webpage where they're prompted to type in their bank account or credit card number. Your bank or credit card company will never ask for your account number or credit card number to verify your identity. They already have that information, your date of birth, social security number, and other identification details. Example Text Message: "CHASE BANK - Did you authorize a transaction for $1,907.78? Click the link to confirm or cancel the charge."
Shipping or delivery texts Some people receive texts claiming to be from a delivery service like UPS, USPS, or FedEx. In this type of SMS scam, the text message may ask the victim to tap a link to track a package en route to their doorstep. It may also tell them there's a problem with their package and instruct them to click the link to see the reason for the delay. Both these texts are huge red flags, and you should always investigate the claims thoroughly before clicking on any links they contain. Reputable shipping carriers like UPS and FedEx never send text messages to customers without their permission. If you didn't give them permission, the sender's number is more than 5 digits long, or you didn't order anything shipped by that carrier recently, the text is likely a scam. USPS never sends links in their tracking update texts. If you ever receive a text from them with a link in it, block the number right away, and don't click the link! Example Text Message: "Shipping Notification: Your USPS package is on the way! Click the link below to track its delivery progress."
Account verification texts Scammers don't always impersonate banks, credit card companies, and shipping services to get your private information. They also pretend to be insurance companies, energy companies, and other reputable organizations most people trust. If you ever receive a text from a company asking you to verify your account information by clicking on a link or responding to the text, you can be almost certain it's a smishing scam. Example Text Message: "We detected an unauthorized login to your Verizon Wireless account at 3 AM CST. Please respond YES or NO or click the link below to verify if it was you."
Prize or gift texts Scammers who send prize and gift smishing scams bank on the fact the recipient won't turn down the money or goods they're promising. They'll often pretend to be from a specific organization, like a clearing house, and tell the victim to click on a link to claim winnings (which may be cash or a gift card). Never respond to a text like this, especially if you don't remember entering a contest. Instead of winning a prize or money, you're likely to lose both money and your data. Example Text Message: "You just won a $500 gift card from Amazon! Tap the link below to claim your prize!"
Tax payment texts In a tax smishing text, the scammer may try to frighten the victim by warning them they owe money for taxes. They may say they only have so many days to pay or the sender will call the police. Then they'll include a link where they tell the victim to enter their payment information and settle their "debt." The IRS is the only organization that collects tax debt. If you owe money on your taxes, you'll receive a letter directly from the IRS. No one else will try to contact you about it (unless they're a scammer). Report all tax smishing scams to [email protected]. Example Text Message: "Your account has been put on hold because you owe $6789.02 for the 2024 tax season, due by March 15, 2025. Please respond to this text or follow the link to set up a payment plan."
Service cancellation texts Another common smishing scam is when the victim receives a text that a service they're subscribed to is about to be canceled. The service could be a streaming platform (i.e., Netflix, Hulu, or Disney+), or something more serious like the internet, a utility company, or anti-virus software. The text encourages the victim to tap a link to renew the service. Then they either install malware or lure the victim to give up their credit card information with a fake website. If you receive a service cancellation text from a company you recognize, always reach out to them directly through their customer service line or log into your account in a web browser first. That's the fastest way to verify whether the text is real or fake. Example Text Message: "WARNING: Your NETFLIX subscription is about to run out! Follow the link to renew your membership before your account is deleted."
Credit card offers Have you ever gotten a text about an amazing credit card offer? Chances are that offer was too good to be true. If a victim were to respond to a text like that, they wouldn't get a deal, and they certainly wouldn't get a card. They might just get tricked into giving over their social security number and other details to the scammer. Example Text Message: "Congratulations! You qualify for an unlimited credit card with a 10% interest rate after 12 months! This offer is good through 6/17. Respond YES if you want to take advantage of this amazing opportunity!"
Student loan aid texts In September 2024, after a 4-year pause, the United States federal government restarted federal student loan payments. A lot of students got used to not making payments and fell behind. This presented a good target for smishing scammers, who sent text messages promising to help pay off student loan debt. Always check the status of your student loan debt with your lender, and never accept offers to help pay the debt from someone you don't know. Example Text Message: "You're being forgiven $10K of student loan debt! Verify your account details here to make sure the money is applied to the right account."
Boss or colleague texts If you receive text from someone claiming to be your boss or a co-worker, you'd definitely sit up and take notice! And if they asked you to do something for them quickly – like send them money through Venmo or Cashapp – you might decide to do it to get in their good graces. But this is just another smishing text you should delete. Never send money to anybody who requests it via text message. Even if it's someone you know and whose number is on your Contacts list, call them and verify the request verbally just to ensure their phone hasn't been hacked. Example Text Message: "Hello, this is your boss. I'm in a real jam – I'm on a business trip and I'm out of gas. I also left my wallet at home. Can you do me a favor and send me $200 on Venmo?"
How to Protect Yourself Against Smishing Attacks
Secure your mobile phone with anti-virus software. Most mobile devices – including Apple iPhones, Androids, and Google phones – come with a pre-installed anti-virus app right out of the box. This software should protect your device in case you ever accidentally click on a malicious link. If you want to beef up your protection, however, you can download another anti-virus app like AVG or Avast.
Block all unknown or suspicious numbers. Depending on which phone carrier you use, your phone may already have spam-blocking technology installed on it. If so, the spam blocker should block or at least flag most suspicious numbers from texting or calling you. If one slips through the cracks, block the spam number yourself to prevent more messages from coming in.
Avoid answering or clicking on links in texts from strangers. If you receive a text from someone you don't know, it's always best to avoid talking to them until you find out who they are. You should also never click on any links they send you. If you can, ask a friend or family member if they know the person texting you. If they don't or can't confirm their number, and you don't remember giving yours to anyone, block the number just to be safe. If you receive a random link with no context from someone you know, investigate it first, or just don't click on it. Phones get hacked or stolen, too, so it's possible the person texting you isn't who you think they are.
Download new apps from your phone's official app store only. Avoid downloading apps via a link, whether you receive it in a text or any other communication. Always go to your phone's official app store (i.e., the Apple App Store or Google Play), search for the app you want, and install it from there.
Report smishing to the FTC, your phone carrier, and the credit agencies. The Federal Trade Commission (FTC) helps law enforcement crack down on scammers. That's why it's always a good idea to report smishing attacks to the FTC. You should also report the smishing scam to your phone carrier so they can shut down the number where it originated. Finally, report it to the top 3 credit reporting agencies like Experian, Equifax, and TransUnion. This will alert them to be on the lookout for suspicious activity and loan inquiries made with your social security number. Let your carrier know about the smishing text by forwarding it to 7726 (SPAM).
What to Do If You're a Smishing Victim
Remove the malware infecting your phone. If you have an anti-virus app already installed, open it and run it to detect and remove any viruses it finds. Next, open your web browser and clear your history, cache, and cookies. Then open your apps list and remove any you might have downloaded from an untrustworthy source. Finally, check your phone for pending security updates to ensure your phone is as protected as possible. If you've done everything listed above and you still notice your phone isn't performing well or your accounts are still getting hacked, you may need to perform a factory reset. This will reset your phone to the way it was when you took it out of the box, meaning it will delete all your information. Make sure your photos, videos, passwords, and other personal data are backed up to a cloud account, like Google Drive or iCloud.
Change all the passwords and PINs saved on your mobile device. Find every account you ever logged into on your phone – i.e., your email addresses, bank accounts, shopping apps, etc. – and change the password for each. Do the same for the PIN (Personal Identification Number) you use to unlock your phone. Then, if a scammer tries to log into any of these sites, apps, or devices, they'll be denied access.
Report the fraud and freeze your credit and debit cards. Report the smishing scam to the FTC, your phone carrier, and the top 3 credit bureaus. Then call your financial institution and tell them to freeze all your credit and debit cards. If the smishing scammer did steal your card information, any purchases they attempt to make will be instantly denied. Your bank, credit union, or credit card company will likely issue you new cards with brand-new numbers, just to be safe. While you're waiting for the new cards to arrive, monitor your bank account closely for fraudulent activity.
Smishing vs Phishing vs Vishing
"Phishing" is an email scam and "vishing" is a phone scam. In a phishing attack, the scammer sends the victim an email. The body of the email uses the same persuasive tactics in smishing to trick the victim to click on a malicious link or reveal their private information. Vishing, or "voice fishing," works the same way, but the scammer talks to the victim over the phone and persuades them to reveal their sensitive data verbally. Avoid falling for a phishing scam by reading the sender's email address carefully. If it's long and complicated or if it's not from the company they say they're representing, delete the email. You can also read the email and pay attention to spelling errors; many scammers can't spell well so their phishing deception is easy to spot. Protect yourself from phone scams by not answering calls from phone numbers you don't recognize. You can also hang up at any time during the call if they start asking you for information you're not comfortable giving out.
Comments
0 comment