What Is Smishing, and How Can You Prevent It?

What is a smishing attack?

The word ‘smishing’ is a combination of two words — ‘SMS’ and ‘phishing.’  

SMS stands for ‘Short Message Service.’ They’re more commonly known as ‘text messages’, short text-based communications sent between mobile phones.

Phishing, meanwhile, is a type of scam where criminals send some kind of fraudulent communication in an attempt to steal money or data.  

How does smishing work?

Smishing is all about trickery and social engineering. Often, smishing messages will pretend to be from a trusted company or organization.  

Typically, they’ll try to fool you into taking a particular action. In some cases, that might be to respond by sending information back. In others, you’ll be sent a link to a web page, where you’ll be prompted to enter personal information, like passwords, usernames, or PIN numbers. Some smishing attacks will encourage you to call a phone number, where a criminal will trick you into divulging information or transferring money to them. It often happens to elderly people, they get lured into sharing their credit card information.

How does smishing spread?

All criminals need to launch a smishing attack is a list of phone numbers. Then using computers and special software to automate the process, they can then send out hundreds, thousands, or even millions of smishing texts at once.

But where do they get these numbers from?  

Some of them are stolen along with other user data when websites get hacked. Numbers can also be collected through phishing emails and phishing sites. And in some cases, lists of phone numbers are sold to criminals by company employees.

Smishing is mostly indiscriminate, using these lists of numbers. But it can also be targeted to just one or a few people, just like other forms of spear phishing.  

You can find out if your data has been leaked as a result of a website hack by using Clario’s data breach monitor. It continuously scans the dark web to notify you in case your email, phone number, credit card information, SNN number, or medical records have been exposed for the criminals to use.

Smishing attack examples

There are countless different types of smishing messages, but here are some of the most common at the moment.

COVID-19 smishing

Cybercriminals will often take advantage of current affairs to increase the success of their smishing campaigns. COVID-19 was a typical example of this. People were worried about the virus and looking for guidance.  

It didn’t take long before the public started getting fake texts asking them to pay for coronavirus testing kits or health supplements, or pay for lockdown fines.  

Bank smishing

Rather than stealing information to sell, some criminals will go straight for the cash by pretending to be a bank or credit card company. By getting victims to supply their bank account details or card PINs, hackers can steal money, transferring it to their own accounts — often overseas, where it can’t easily be recovered.  

In one recent case, the FBI issued a warning about smishing texts claiming to be bank fraud alerts. Victims were told someone had tried to transfer money from their account. They were prompted to call a number to reverse the payment, but this went to the criminals, who would take the victim’s bank details to steal money.  

Gift or prize smishing

“Congratulations! You’ve won the Spanish lottery” We’ve all had emails like that, but the messages aren’t always so obvious, and sometimes they arrive through text messages instead.  

They’re not always about lotteries either — sometimes, you might be told you’ve won something smaller and more believable. Gift card smishing attacks are particularly common and are used to email addresses and other personal data.  

Invoice or order confirmation smishing

Like other forms of phishing, invoice or order confirmation smishing is all about engineering your behavior, so you give up information.  

In some countries, fake parcel delivery texts are the top smishing scam. These smishing texts will usually tell you that you have a parcel waiting for you at a courier depot and that you need to fill out a form to claim it.  

Curiosity can get the best of some people, and they fill the form in to see what the parcel is, which claims to be from a company like Fedex. Of course, the form will be a fake, set up to steal data.  

Customer support smishing

Companies contact their customers for all kinds of reasons — including to tell them about new services or products, to let them know a warranty is ending, or to inform them if their account has been compromised.

Criminals sometimes mimic these messages to direct unsuspecting victims towards phishing sites or to get them to call and supply details. One typical example is the fake Facebook customer support message, which claims the victim’s account has been hacked or suspended.  

How to prevent smishing

It’s pretty much impossible to avoid smishing attacks completely. As soon as you share your number with any company or website, you’re trusting them to keep it safe and not to sell it to someone else.  

Being careful about who you give your number to can help to reduce the number of smishing attempts you see. However, most of the work of blocking smishing attempts is done by phone networks, meaning most fraudulent texts never make it to you.  

What’s most important is knowing how to recognize smishing attacks when they do get through, so you can avoid falling victim to them. A few rules to follow:

• Your bank will never request your PIN or full password over the phone or in a text message.
• Check the phone number the text message is coming from. Google it to see if it’s really connected to the company it says it’s from.
• Look for spelling mistakes. Hackers are often not native English speakers, or they don’t bother to spell check.
• Generic greetings like ‘Dear sir/madam’ are common because criminals don't have the data or the means to personalize texts.
• If you aren’t expecting a parcel, invoice, or another kind of request, be on your guard.
• Don’t log into an account using a link in a text message. Go to that account manually in your web browser.

Steps to take if you fall victim to smishing

Following the steps above should steer you right most of the time. If, however, you do think you’ve been taken in by a smishing scam, you should move quickly to minimize the damage.  

Follow these steps to prevent your smishing problems from getting worse:

• Log into any affected accounts and change your passwords. Also, if you’ve used these passwords anywhere else, change those too.
• If you’ve handed over bank or credit card details, contact your bank immediately so they can block any fraudulent activity on your account.
• Report the attack to the police, so they can log the incident and warn other people if it’s a widespread attack.
• Block the number that sent you the smishing text. If they think you’re an easy target, they’ll likely have another shot at you later.

If you’re lucky, you can act fast enough to stop criminals from using your data to get into your accounts or steal your money. But as with most things privacy and security related, prevention is better than cure. Being suspicious about any unexpected text messages is one of your best weapons against smishing.

With the help of Clario’s data breach monitor, you can react fast if your data is put up for sale online or involved in website data breaches. It is easy to use and quick to give you an answer if your personal data has been compromised. Follow these simple steps to find out:

1. Download Clario
2. On the dashboard, find Data breach monitor
3. Click Add email
4. Type in your email address and click Check

In case it finds any breach of information, follow the on-screen instructions to make sure your cyber safety is restored. Also, if you are still worried, contact our Support Team. Our tech professionals are always there to help ensure your and your device’s security.