This concerning phenomenon is more commonly known as smishing, coming from the words
phishing. The word
SMS is an acronym for
short message service (simply known as text messaging). Phishing is a type of online scam that uses messages, such as emails, as well as malicious links and email attachments. The goal of phishing is to get someone to reveal their personal details and information, such as passwords, personal ID or financial details, including bank account numbers.
This is done by the sender acting as a reliable entity, such as the recipient’s bank, a social media service or some authority that the message’s receiver would trust. By gaining the victim’s trust, the goal of phishing is financial gain. The scammer may try to access the victim’s online bank, email or another service that may open doors to various other places.
Read more about phishing scams and 5 ways that can help you protect yourself against phishing.
So, how is smishing different from phishing? Although the goal of smishing does not differ from phishing, the means of stealing your personal or financial information, and infecting your desktop or mobile devices are different. Whereas phishing refers to online crimes done via email, smishing attacks use a mobile phone or some other mobile device and text messages to lure the victim. In other words, smishing is just a form of phishing done via text messages.
Nowadays many might consider some forms of electronic communication, including text messages, more trustworthy than emails. After all, criminals and scammers are known for using all novel online channels, such as email, for achieving their goals. Yet, malicious text messages have also found their way into the criminals’ toolbox.
A smishing message might be more successful in tricking its victim than a phishing email because many do not consider text messages a threat to their security and privacy. However, this is far from the truth. In addition to regular text messages, messaging services such as WhatsApp are not safe either when it comes to stealing sensitive data, login details and other personal information.
Even existing message chains may pose a risk of smishing. Criminals can inject smishing messages into old message chains the victim has started with the
real sender. In a case like this, smishing can be done in the name of a well-known and trusted source, such as the postal service or a delivery company. The smishing message will become a part of the old message chain, among the other messages the victim has received earlier. This can be very deceptive and make people fall into the trap, especially if the smishing SMS looks just like the other messages.
As for phishing emails and other scam messages, a smishing message can be identified by looking for certain signs in the message itself as well as its sender. First of all, just like phishing, smishing attacks are disguised as messages from a reliable source. The message might be coming from your bank, for instance, or a social media service you use.
One reason that makes identifying a smishing message more difficult than a scam email, for instance, is that text messages have fewer options when it comes to visuals, such as logos, formatting and colors. Whereas a phishing email can be identified as fake just by looking at its visual style, an SMS message has only text to use.
A smishing text message may also be disguised as a notification of a sent or received package you have, assumedly, ordered. A smishing message may tell you that you have won a lottery or some other prize that is just waiting to be picked up by its lucky winner.
One way to spot and identify smishing attacks is by looking at the phone number the SMS message is coming from. Sometimes the first few numbers or the country code of the phone number can reveal that the message is coming from some other country than it should. Like scam emails, the warning signs of SMS phishing include bad grammar and poorly formed sentences. These can be used to imply the sender’s true intent.
Smishing messages often urge you to do something as soon as possible and have an element of urgency. A fake message may tell you to click a link, respond to a message or carry out some other action right away. One way to do this is by claiming that your email, social media account or online bank has identified suspicious activity.
SMS phishing, just like normal phishing via email, uses links that direct you to a website. Clicking the hyperlink in a smishing message, however, often takes you to a website that is designed to look like the assumed sender’s real website.
The link in a smishing message may also take you to a login page that is made to look like that of a well-known and trustworthy source. For example, smishing messages can be sent in the name of social media services, banks or delivery companies. However, instead of
logging in, by inserting a username and password, the victim is giving away their login credentials. These are then used to access their bank account and email or collect personal information.
Overall, it is always wise to be mindful of clicking any links coming from senders whose authenticity and reliability you cannot verify. After the victim has clicked a link in a smishing message and entered a fake site, the means of stealing their information are similar to those of a phishing fraud.
Be also mindful of unprompted messages sent to you on a messaging app like WhatsApp and Facebook Messenger. Such platforms are another popular tool to lure victims to reveal their sensitive information.
This might sound like you can no longer trust any SMS, instant message or email. Luckily, there’s a foolproof way to prevent yourself from becoming a victim of a smishing attack. That is: don’t do anything a suspicious message asks you to.
Reading a smishing message alone cannot be used to steal your information. However, clicking a link in a malicious text message or sending your personal or financial details as a response can be used for financial gain, identity theft and many other crimes.
With over 30 years of experience, F‑Secure sees the online dangers you don’t. To take your anti-phishing and anti-smishing measures to the next level, get F‑Secure Total to keep you safe. Total includes award-winning protection against viruses, ransomware, known phishing websites, and many other online threats. It also includes an unlimited VPN and a password manager.
You can try it for free for 30 days, with no credit card required.