The word “smishing” comes from combining “SMS” — for short message service (texting) — with “phishing,” the practice of stealing personal or financial information through deceptive communications, primarily emails. Basically, it’s phishing by text messages on mobile devices.
What is Smishing?
Like phishing emails, smishing texts are scams that aim to manipulate people into turning over sensitive data such as Social Security numbers, credit card numbers and account passwords or provide access to a business’s computer system. They rely on persuading you that the sender is a familiar or trusted source (like a bank, store, or shipping company) and that urgent action is needed to secure a benefit, resolve a problem or avert a threat.
Cybercriminals often use one of two methods to steal this data:
- Malware: The link might trick you into downloading malware — malicious software — that installs itself on your phone.
- Malicious website: The link in the smishing message might lead to a fake site (often a clever copy of a legitimate site) that requests you to submit sensitive personal information.
How does Smishing work?
Typically, attackers want the recipient to open a link within a text message, where they then are prompted to disclose their private information.
Smishing spreads because many users have false confidence in text message safety. People are often less wary on their smartphones than with emails or scam calls.
Examples of Smishing
Be wary of text messages that
- promise free prizes, gift cards or coupons
- offer you a low or no interest credit card
- promise to help you pay off your student loans
- say they’ve noticed some suspicious activity on your account
- claim there’s a problem with your payment information
- send you a fake invoice and tell you to contact them if you didn’t authorize the purchase
- send you a fake package delivery notification
Dos and Don’ts of Smishing
- Do contact the company or organization that supposedly sent the text, using a phone number or website you know to be legitimate, if you think it might concern a genuine problem.
- Do forward spam and scam texts to 7726 (SPAM), the spam reporting service run by the mobile industry. This sends the text to your carrier so it can investigate.
- Do consider using tools that filter or block unwanted messages or unknown senders:
- Your mobile device may have built-in spam protection. Check the settings on its messaging app.
- Most major wireless carriers offer call-blocking services.
- Do report suspected smishing to the FCC and the FTC.
- Don’t provide personal or financial data in response to an unsolicited text or at a website the message links to.
- Don’t click on links in suspicious texts. They could install malware on your device or take you to a site that does the same.
- Don’t reply, even if the message says you can “text STOP” to avoid more messages. That tells the scammer or spammer your number is active and can be sold to other bad actors.
- Don’t assume a text is legitimate because it comes from a familiar phone number or area code. Spammers use caller ID spoofing to make it appear the text is from a trusted or local source.
- Don’t feel rushed. Approach urgent account updates and limited time offers as possible smishing. Remain skeptical and proceed carefully.
Remember: The simplest protection against smishing is to do nothing at all. If you don’t respond, a malicious text cannot do anything.