Smishing: A Silly Word for a Serious Fraud Risk
These phishing attacks, in which scammers target victims through text messaging, are on the rise
There was clearly something fishy afoot when Beth, a disabled 50-year-old from North Carolina, received two text messages saying she had money available to add to her phone’s digital wallet.
One message said, “Beth put this in your wallet and use it whenever.” The other said, “The balance on this account is yours. no be to share [sic].” Both messages included hyperlinks.
Beth, who asked not to use her last name, had just become the target of “smishing,” an increasingly common tactic criminals are using to commit fraud.
Instead of clicking on the embedded links, Beth deleted the messages and reported them to the Better Business Bureau, a business watchdog. “Money doesn’t just drop in your lap,” she told Consumer Reports, explaining why the messages raised her suspicions. Beth says she has been on high alert for fraud since being targeted by calls from scammers claiming to be officials from the IRS or Social Security.
The word smishing combines SMS, the primary technical format for text messaging, and phishing. As in other phishing attacks, the criminals masquerade as government workers, tech support representatives, long-lost friends, or financial institutions, and try to lure people into divulging personal details that could lead to fraudulent credit card purchases or identity theft.
Robotexts Are the New Robocalls
More than 87 billion spam texts were sent to U.S. phone users in 2021, according to RoboKiller, a spam text mitigation service—that’s 58 percent more than the prior year, RoboKiller says. And so far this year, U.S. phone users have received over 55 billion spam texts with 12.02 billion texts received in the month of June alone, according to RoboKiller.
Delivery scams where fraudsters impersonate Amazon, FedEx, and the U.S. Postal Service are the most prominent text scam, accounting for over 26 percent of all SMS scams in 2021, according to RoboKiller. In these scams, robotexts are sent with links that purport to track packages or adjust user preferences. However, they’re actually links that connect users to fake websites where the recipient will divulge their sensitive information or download malware onto their device.
COVID-19 scams were the second most common text scam in 2021, according to the company. Here, scammers offer COVID-19 tests and request personal and financial information.
Besides those scams, text messages are also used to perpetrate intricate bank and peer-to-peer (P2P) digital payment fraud.
With some bank frauds, victims are fooled into furnishing log-in credentials, which criminals use to siphon out cash or open credit cards, whereas with P2P frauds, victims can be tricked into paying for goods and services they never receive, or sending money to people pretending to be friends or relatives. There have even been reports of identity theft in which the criminals will use someone else’s name and information to rent property.
How to Avoid Smishing
- You should never reply or click on any links in an unwanted text. They can contain malicious code that could infect your mobile phone.
- Forward unwanted texts to 7726, which spells SPAM. It’s free to do and forwards the messages to your phone carrier’s spam department so that it can take action against the number. If a message is being delivered over a third-party messaging app, you’ll want to report it to the app that you use by looking for an option to report junk or spam.
- Your phone should have an option to filter or block messages from a specific number. Major providers also often have a tool or service that can block spam calls and texts that you can look for and use. Similarly you can download a call- and text-blocking app from your phone’s app market or download apps from the Apple or Google app stores.
- Beware of messages that claim to be from government agencies, such as the IRS or Social Security. The IRS will never send you an unsolicited text message or initiate contact via text message, email, or social media. Social Security does allow marketing firms to send emails to raise awareness of Social Security’s online services, and it uses text messages for two-factor authentication—but only if you’ve set up that security measure through your online account.
- A telltale sign that you may be under attack is that a message is trying to impart a sense of urgency. These types of scams often imply that an immediate response is required to take advantage of an offer or to avoid a penalty.
- Don’t be taken in by friendly, familiar language. Smishing text messages may use your name. While they often come from unfamiliar numbers, sometimes they seem to have originated from a phone number you recognize.
- Do not respond to suspicious text messages, even if the message says you can “text STOP” to prevent future messages. Any response on your part will confirm for the scammers that the number is in use—and you’ll just be inviting more texts.
- Delete all suspicious texts.
- Make sure your phone’s operating system is up to date. Android and iOS are constantly being updated with enhanced security features. On Android models and iPhones, your phone’s settings page should indicate which system you’re using and whether an update is available.
- If you get a suspicious text from an official-sounding entity and want to check it out, don’t use any information from the message itself. Instead, call or email the company or government agency directly, using an official phone number from a recent bill or another valid source of information.
- You should also alert law enforcement to the attack by submitting a report to the FCC or the Federal Trade Commission.