What is smishing?
The term “smishing” may sound silly, but the smishing meaning is less amusing than it sounds. A smishing attack is a type of phishing attack that leverages text messages as an attack vector. It can rely on social engineering, malicious attachments, and fraudulent websites to scam people.
A smishing scam can be easy to execute, challenging to trace, and dangerous in impact. A successful smishing attack can potentially expose your passwords, pictures, videos, and other sensitive data to a scammer and also function as an infection vector for a malware drop on your smartphone.
Every one of the billions of smartphone users worldwide is a potential smishing target. In the United States alone, the Federal Trade Commission noted nearly 400,000 fraud complaints about unwanted texts, including smishing attacks in 2021. Consumers reported a loss of over $80 million to regulators the same year.
This guide will help you avoid smishing attacks and learn how to prevent smishing. Read on for more in-depth details about the following:
- Smishing definition: what is a smishing attack in cybersecurity?
- Smishing examples
- Smishing vs phishing
- What you can do in case of a smishing attack
- How to protect yourself from smishing
Here is a quick smishing definition: smishing is a type of cybersecurity attack that occurs over short message services (SMS), also known as texting. Some experts may also define smishing as an attack over any type of text message, and not just native mobile text messaging systems, such as messages on social media platforms.
A simpler way to define smishing is to call it a phishing text message. This leads to the question: what is phishing? Well, phishing is when a threat actor poses as a trusted entity to trick a target into making a cybersecurity error, like sharing confidential information, typically over email. A phishing text message, also known as smishing, is phishing over text.
A smishing attack is when a threat actor uses malicious text messages to breach the cybersecurity of a target. The goal of a smishing attack is to typically gain the following confidential information for identity theft or financial crimes:
- Credit card numbers
- Credit card codes
- Banking data
A phishing text attack can also be highly targeted. When a threat actor knows the phone number of a victim, they can design a compelling attack. For example, if a scammer is targeting a finance executive’s mobile number, they can launch a smishing attack that appears to be from a potential business contact.
You can read up on phishing vs spear phishing vs whaling to learn about the different types of social engineering attacks that make use of text messages as a threat vector.
Like phishing, smishing tricks us into believing that fake messages are legitimate so that we interact with them without concern. Smishing attacks work by using some or all the following features:
- Context: Smishing texts use context to appear genuine. A smishing text may seem like it’s from the bank, your favorite retailer, or your government. For example, IRS-themed smishing scams that steal personal and financial information are rising because they’re using context effectively to earn a victim’s trust.
- Target selection: Smishing victims can be selected based on demographics and local affiliations. For example, a gang of extortionists may send fake texts from a financial institution that’s popular within a certain area code to local numbers. Alternatively, they may send phishing texts from a university to its students after accessing phone numbers.
- Social engineering: A social engineering attack manipulates a target’s emotions, such as fear, love, lust, greed, anger, or sympathy, to cloud their judgment. For example, a fraudulent message that appears to be from a loved one may fake an emergency to trick the victim into sending a money transfer.
- Malicious attachments: A phishing text message may be armed with a malicious attachment that appears to be a picture, video, or document but is a virus, adware, spyware, Trojan, or ransomware.
- Malicious links: Smishing attacks often use malicious links, malware or fraudulent websites.
Smishing also works by relying on the simplicity of text messages. You can spot a phishing email by watching out for grammatical errors, spelling mistakes, image formatting issues, strange email addresses, and other irregularities. But text messages are usually shorter and don’t carry graphics such as company logos.
For example, a typical text from your bank may be a couple of sentences long and feature a link to a retailer or a financial website. Unlike an official email, such a text is straightforward to spoof.
Hackers are less likely to make grammatical mistakes when writing one or two sentences in a smishing attack. And they don’t have to worry about replicating logos to make phishing texts appear authentic. They can also use Caller ID spoofing techniques and burner phones to cover their tracks.
- You have won a contest or a prize and must claim it.
- Someone has sent you a gift or a coupon that you need to activate.
- Your financial institution must confirm your details.
- A pending money transfer to your account requires your authorization.
- The expensive purchase you made needs verification.
- A virus was detected on your phone.
- Your account was locked due to suspicious activity or unusual login attempts.
Smishing and phishing may sound similar, but they’re not quite the same. So, what is the difference between phishing and smishing? The biggest difference in the smishing vs phishing comparison is that smishing uses SMS as a medium of attack, while phishing is a catchall term for any email, website, text message, or voice message that uses deception to attack a target. In other words, smishing is a type of phishing attack that occurs over a text message. The goals of both attacks is to collect your personal information for fraudulent activity. So, this is what both methods have in common.
The first thing you should do is report the attack to the relevant authority with as much detail as possible. For example, if you are the target of an IRS smishing attack, send an email of the attack to firstname.lastname@example.org with the following details:
- Phish caller ID number.
- A screenshot of the attack.
- A copy of the message if you can’t capture a screenshot.
- The date, time, time zone, and the number of the recipient.
Other organizations have also been forced to react to these scams. For example, banks and payment companies like PayPal have opened up phishing reporting channels. If you use PayPal, please learn how to recognize PayPal phishing emails to shield your account.
If you suspect that you’re the target of a smishing attack, immediately change all your passwords and PINs. Your new password should be complex and unique. You can read our guide to learn how to create a strong password.
A threat actor may try to use your debit or credit card after gaining access to your sensitive data. We suggest that after changing your passwords, you temporarily freeze all your cards to prevent financial fraud. You can freeze your card by logging into your credit card account or calling your financial institution.
Also, let your credit card issuer know about the smishing attack. They may disable your card and issue a new one with a different set of digits.
Monitor your accounts for the following types of suspicious activity:
- Unknown transactions on your bank or credit card account.
- Unusual login locations for your accounts.
- Your sensitive images, videos, or text messages are leaking out.
- Friends receiving suspicious messages from you.
- Loans taken out in your name.
- Enrollment in government financial aid programs
Even if you don’t notice any immediate suspicious activity, keep an eye on your accounts in the long term after a smishing attack. An excellent way to monitor your financial accounts for irregularities is to check your credit reports.
Federal law allows you to access a free credit report every year from a major credit bureau. That equals three free reports a year. And through December 2023, everyone in the United States can access a free credit report each week from all three bureaus.
After determining that a text is fraudulent, you can block it on an iOS or Android phone. On an iPhone, go to the contact page and tap Block this Caller. On an Android phone, go to the contact page and tap Block contact.
Both operating systems also offer filters that can allow you to block spam and other unwanted texts.
How to filter texts on iPhone:
- Go to Settings.
- Tap Messages.
- Swipe the button next to Filter Unknown Senders.
How to filter texts on Android:
- Go to Messages.
- Tap the three dots to open Settings.
- Tap Block numbers and messages.
- Activate Caller ID and spam protection.
Your mobile phone carrier may also offer anti-smishing tools:
Smishing attacks can be complex, leveraging alarmist language, malicious attachments, unsafe links, and fraudulent websites to breach our cybersecurity. Protecting yourself from smishing requires preparedness on multiple fronts.
Phishing texts may appear urgent to stop you from thinking clearly before you react. The first thing you should do after receiving an urgent message is to take a deep breath. Assess the situation before responding. It’s improbable that a legitimate entity will ask for your sensitive information or payment via text message. If you have any doubts, find the publicly listed number of the entity on their official website and call them directly.
Check the ID of the caller. Look for the number underneath the ID and search it online to see if it matches the context of the call.
Activate multi-factor authentication (MFA) on your accounts to protect them from hackers who may have access to your login credentials. MFA forces users to authenticate their identity in another way when there’s suspicious activity during a login attempt.
Smishing attacks may ask you to urgently open a link to take advantage of a great offer or to pay taxes to the IRS and avoid arrest. These links may lead you to malicious websites that steal your credit card data or other confidential information. It’s best to avoid clicking any links on text messages. Instead, verify the source of the message.
Screening calls can help shield you from smishing attacks. A message from an unknown number could be part of a scam.
Avoid storing your credit card data on your phone in the shape of web forms, text files, or even screenshots. A smishing attack that installs a Trojan or spyware on your device could easily steal this information. Spot the malware signs of such an attack. Additionally, use a free antivirus download to regularly scan your system for viruses, ransomware, spyware, adware, and Trojans.
It’s not unusual for banks to text you about recent purchases and credit limits. But it’s unlikely for your bank to request your sensitive information for a transfer via text. Always call your bank to verify any request by text or email.
Never share usernames and passwords in text messages, even if you trust the source. Hackers may be able to find this information in your device’s sent folder.
Download a cybersecurity tool for your phone to protect yourself from different types of attacks. For example, Malwarebytes for Android shields Android users from all times of malware. It also provides malicious links/websites and phishing protection to users. Similarly, Malwarebytes for iOS protects iPhone and iPad users from malware, spam calls, ads, scam websites, and phishing websites.
As stated earlier, there’s a noticeable rise in phishing over SMS. Smishing is an easy attack vector for scammers to utilize against millions of people who rely on text messages to communicate.
Smishing crimes can result in different security and privacy concerns, including identity theft. Experts say that the effects of identity theft can last several years, ranging from lost time, money, tax debt, and damaged credit to a criminal record.
A proactive approach to cybersecurity can prevent smishing attacks. Treat suspicious text messages with caution and arm your device with security software that mitigates the risk of a phishing attack.