Scam Alert: Smishing
Smishing isn't a new dance craze or cooking technique — it's a type of cyberattack. But with so many similar-sounding scam names floating around, it's hard to keep up with what each one means.
Here we'll explain what smishing is and how it works. More importantly, we'll outline how you can protect yourself from smishing attacks — and what to do if you think you've been targeted.
What is smishing?
The term smishing is a mashup of the acronym SMS, which stands for short message service (the industry lingo for text messaging), and phishing, a type of internet fraud1 that involves tricking you into responding to a fake email.
So, smishing is a type of phishing that uses text messages to try to dupe you into sharing personal financial information like your password, bank account, or credit card number.
Did you know? Smishing scammers play on your fears and your trust.
How smishing works
You get a text message that looks like it's coming from some sort of official source. For example:
- You get a text that seems to be from your bank, warning you that there's a problem with your account requiring immediate attention.
- You receive an ominous threat of a fine or legal action from what appears to be an official government agency.
- An organization that sounds slightly familiar announces you've won a gift card in a drawing you don't recall entering. The message asks you to text back or call, and then you're required to submit personal information to “verify" your identity.
- In another twist, a scammer posing as a charity may invite you to send a text to a code number to make a donation that cyber thieves end up collecting.
Smishing scammers play on fear2— whether it's fear of losing money, fear of getting into trouble, or fear of missing out. They're also counting on you to trust a text message sent to your personal cell phone number and not think twice about responding.
How to recognize smishing attempts
- Use caution when responding to text messages. When you get any text message that claims to come from a financial institution — or asks for personal or sensitive information — examine it carefully before you hit “reply."
- A big red flag is when the number that shows up on your cell phone screen doesn't look like a phone number at all. For example, if the sender's number appears as 5000 instead of a normal 10-digit number, that's a tip-off the message was sent via email and not from another cell phone. That's one way hackers hide the source of fake messages.
Even if a text looks like it's coming from a trusted source, you should still be wary if it asks for passwords, authentication codes, or other personal information. The reason: spoofing. That's when a scammer makes it look like a phone call or text is coming from a number other than where it's really coming from. Again, the best course of action is to refrain from responding by text and instead call the company directly using the customer service number listed on their website.
Due to the recent increase in smishing attacks, some banks opt not to use text messages at all with their customers. Check to see if your bank has a written policy on text messaging. Even if your bank does use text messaging, it will not ask for personal financial information via text. If your bank does send text messages, make sure you find out directly from the bank itself what phone number it uses to do so.
What to do if you suspect smishing
If you have any doubt about whether a text message is real, contact your alleged sender's customer service department using the number listed on the company's official website or materials.
Whatever you do, don't call the number provided in the text message, and don't click on any link embedded in the message. Clicking on a link could cause your mobile phone to become infested with malicious software and allow cyber criminals to steal your personal information.
How to report smishing attacks
If you realize you've been on the receiving end of a smishing attack, report it to your cell phone company and file a complaint with the Federal Trade Commission.3
You can also report smishing scams to any government agency, retailer, or other organization that the hacker was impersonating.
Terms like smishing may sound silly, but the financial harm that can result from smishing and other cyberattacks is quite serious. Shield yourself with a healthy dose of skepticism when seemingly official sources are sending you text messages and asking too many questions.
Important Disclosure Information
This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.
- FBI.gov," Internet Fraud," https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud, accessed July 5, 2018. Back
- Lifewire.com, “Protect Yourself From SMiShing (SMS Text Phishing) Attacks," Andy O'Donnell, March 7, 2018, https://www.lifewire.com/protect-yourself-from-smishing-sms-phishing-attacks-2487626, accessed July 5, 2018. Back
- Federal Trade Commission, “FTC Complaint Assistant,"https://www.ftccomplaintassistant.gov, accessed July 6, 2018. Back
Do you have questions or ideas?
Share your thoughts about this article or suggest a topic for a new one