How smishing works
You get a text message that looks like it's coming from some sort of official source. For example:
- You get a text that seems to be from your bank, warning you that there's a problem with your account requiring immediate attention.
- You receive an ominous threat of a fine or legal action from what appears to be an official government agency.
- An organization that sounds slightly familiar announces you've won a gift card in a drawing you don't recall entering. The message asks you to text back or call, and then you're required to submit personal information to “verify" your identity.
- In another twist, a scammer posing as a charity may invite you to send a text to a code number to make a donation that cyber thieves end up collecting.
Smishing scammers play on fear2— whether it's fear of losing money, fear of getting into trouble, or fear of missing out. They're also counting on you to trust a text message sent to your personal cell phone number and not think twice about responding.
How to recognize smishing attempts
- Use caution when responding to text messages. When you get any text message that claims to come from a financial institution — or asks for personal or sensitive information — examine it carefully before you hit “reply."
- A big red flag is when the number that shows up on your cell phone screen doesn't look like a phone number at all. For example, if the sender's number appears as 5000 instead of a normal 10-digit number, that's a tip-off the message was sent via email and not from another cell phone. That's one way hackers hide the source of fake messages.
Even if a text looks like it's coming from a trusted source, you should still be wary if it asks for passwords, authentication codes, or other personal information. The reason: spoofing. That's when a scammer makes it look like a phone call or text is coming from a number other than where it's really coming from. Again, the best course of action is to refrain from responding by text and instead call the company directly using the customer service number listed on their website.
Due to the recent increase in smishing attacks, some banks opt not to use text messages at all with their customers. Check to see if your bank has a written policy on text messaging. Even if your bank does use text messaging, it will not ask for personal financial information via text. If your bank does send text messages, make sure you find out directly from the bank itself what phone number it uses to do so.
What to do if you suspect smishing
If you have any doubt about whether a text message is real, contact your alleged sender's customer service department using the number listed on the company's official website or materials.
Whatever you do, don't call the number provided in the text message, and don't click on any link embedded in the message. Clicking on a link could cause your mobile phone to become infested with malicious software and allow cyber criminals to steal your personal information.
How to report smishing attacks
If you realize you've been on the receiving end of a smishing attack, report it to your cell phone company and file a complaint with the Federal Trade Commission.3
You can also report smishing scams to any government agency, retailer, or other organization that the hacker was impersonating.
Terms like smishing may sound silly, but the financial harm that can result from smishing and other cyberattacks is quite serious. Shield yourself with a healthy dose of skepticism when seemingly official sources are sending you text messages and asking too many questions.