I suppose that before I explain how to avoid smishing scams, it might help to understand the meaning of the word “smishing.” Basically, smishing is phishing through text rather than email. All clear now? That definition works fine if you understand what phishing is. Okay, let’s go to the Mirriam-Webster dictionary to find out the full meaning of “smishing.” (Note: smishing is no longer “a new kind of cybercrime.”)
Smishing is a new kind of cybercrime. Its name is a portmanteau of SMS (short message service) and phishing. SMS refers to a text messaging service, and you probably know phishing as the name for a scam in which a person is duped into revealing confidential information by responding to a bogus e-mail that appears to be from a bank, Internet service provider, retail store, or other organization. Instead of e-mails, smishing uses text messages to direct people to a fraudulent website or to call a phone number at which point they are asked to provide personal identifying information, such as a user name and password, or financial information.Smishing Is Phishing Via Text | Merriam-Webster
The opening picture on this page is an example of a smishing attempt. How cool that I came in first in March! Of course, this is a scam. (Note: On all the smishing examples in this post, I’ve blurred out part of the phone number and part of the link so no adventurer who reads this can get scammed.) Once again, a scammer is attempting to trick us by using one of the three pillars of Social Engineering – an attempt to tap into your dreams. (Reference: Social Engineering: The Weakest Link In The Chain) Who wouldn’t want to win something?
Let’s look at another one I received:
This second text example was pretty easy to spot as a smishing attempt since my name is JOHN, not JOE. Additionally, if you know anything about tracking numbers, you know they are more digits than the tracking number shows in this text message.
Of course, scammers often use fear as a motivator (you learned that from me in Social Engineering: The Weakest Link In The Chain (4kcc.com) and that’s also very true in fake text messages. Example:
In this message, the scammer is trying to scare us into believing there’s an issue with our bank. Oh, no, someone is trying to steal our money! Yes, someone is – the thief who sent this fake text.
Now that you understand what smishing is and have seen some examples, you might be asking yourself what you should do to not be scammed. Knowing you’re thinking that, here are some ideas:
- Think before you click. Scammers know that we are often doing other things when we receive a text message. We might be watching TV, doing our homework, folding laundry, playing with our kids, grandkids or maybe even our dogs and cats when, suddenly, we receive a text. (Naturally, the one thing we do that we would not allow texting to interrupt us would be driving our car!) Because our minds are on other things, we might click on a link without realizing that the message is a scam. Moral: think before you click.
- Check the legitimate source. Let’s say you do get a text with a link from what appears to be your bank or a company with which you do business. Instead of clicking the link, open the appropriate app or log into your account on the web. If the message was really from them, some type of notification will appear in your account. For instance, in the first screenshot at the top, if I wasn’t sure, I would have logged into Amazon. If I really won an Amazon raffle, something would be there to tell me so.
- Regarding financial institutions, a special note: many credit card companies and banks will send you a text message if there’s an attempt to charge something on your card that seems out of place. About 99% of the time, these type of text messages will simply ask you to reply YES or NO, rather than click on a link. These text messages are legitimate. Here’s an example:
- Don’t call or reply to unknown text messages that contain links or appear to be Social Engineering. Just like unsubscribing from an email when you didn’t actually subscribe to a list, if you call or reply to an unknown text message you are simply verifying that your information is legitimate. Scammers purchase lists of mobile phone number just like they do email addresses.
You should know that smishing attacks are on the rise. When you put them under the FBI’s umbrella of Phishing, Vishing, Smishing and Pharming, they were the number 1 source of Internet fraud in 2020 with over 241,000 victims in the US. I don’t want to see you become one of these statistics in 2021 so please re-read this post!