What is smishing? A new form of text message fraud

Many are familiar with email scams that aim to steal your personal and financial details or to get you to click a malicious link. However, there is a new form of scam messaging on the rise and it is done via text messages.

What is smishing?

This concerning phenomenon is more commonly known as smishing, coming from the words SMS and phishing. The word SMS is an acronym for short message service (simply known as text messaging). Phishing is a type of online scam that uses messages, such as emails, as well as malicious links and email attachments. The goal of phishing is to get someone to reveal their personal details and information, such as pass­words, personal ID or financial details, including bank account numbers.

This is done by the sender acting as a reliable entity, such as the recipient’s bank, a social media service or some authority that the message’s receiver would trust. By gaining the victim’s trust, the goal of phishing is financial gain. The scammer may try to access the victim’s online bank, email or another service that may open doors to various other places.

Read more about phishing scams and 5 ways that can help you protect yourself against phishing.

How does smishing differ from phishing?

So, how is smishing different from phishing? Although the goal of smishing does not differ from phishing, the means of stealing your personal or financial information, and infecting your desktop or mobile devices are different. Whereas phishing refers to online crimes done via email, smishing attacks use a mobile phone or some other mobile device and text messages to lure the victim. In other words, smishing is just a form of phishing done via text messages.

Nowadays many might consider some forms of electronic communication, including text messages, more trust­worthy than emails. After all, criminals and scammers are known for using all novel online channels, such as email, for achieving their goals. Yet, malicious text messages have also found their way into the criminals’ toolbox.

A smishing message might be more successful in tricking its victim than a phishing email because many do not consider text messages a threat to their security and privacy. However, this is far from the truth. In addition to regular text messages, messaging services such as WhatsApp are not safe either when it comes to stealing sensitive data, login details and other personal information.

Even existing message chains may pose a risk of smishing. Criminals can inject smishing messages into old message chains the victim has started with the real sender. In a case like this, smishing can be done in the name of a well-known and trusted source, such as the postal service or a delivery company. The smishing message will become a part of the old message chain, among the other messages the victim has received earlier. This can be very deceptive and make people fall into the trap, especially if the smishing SMS looks just like the other messages.

How to identify smishing messages?

As for phishing emails and other scam messages, a smishing message can be identified by looking for certain signs in the message itself as well as its sender. First of all, just like phishing, smishing attacks are disguised as messages from a reliable source. The message might be coming from your bank, for instance, or a social media service you use.

One reason that makes identifying a smishing message more difficult than a scam email, for instance, is that text messages have fewer options when it comes to visuals, such as logos, formatting and colors. Whereas a phishing email can be identified as fake just by looking at its visual style, an SMS message has only text to use.

A smishing text message may also be disguised as a notification of a sent or received package you have, assumedly, ordered. A smishing message may tell you that you have won a lottery or some other prize that is just waiting to be picked up by its lucky winner.

One way to spot and identify smishing attacks is by looking at the phone number the SMS message is coming from. Some­times the first few numbers or the country code of the phone number can reveal that the message is coming from some other country than it should. Like scam emails, the warning signs of SMS phishing include bad grammar and poorly formed sentences. These can be used to imply the sender’s true intent.

Smishing messages often urge you to do some­thing as soon as possible and have an element of urgency. A fake message may tell you to click a link, respond to a message or carry out some other action right away. One way to do this is by claiming that your email, social media account or online bank has identified suspicious activity.

How smishing can be used to steal personal or financial information?

SMS phishing, just like normal phishing via email, uses links that direct you to a web­site. Clicking the hyper­link in a smishing message, however, often takes you to a web­site that is designed to look like the assumed sender’s real web­site.

The link in a smishing message may also take you to a login page that is made to look like that of a well-known and trust­worthy source. For example, smishing messages can be sent in the name of social media services, banks or delivery companies. However, instead of logging in, by inserting a user­name and pass­word, the victim is giving away their login credentials. These are then used to access their bank account and email or collect personal information.

How to protect yourself against smishing attacks?

Overall, it is always wise to be mindful of clicking any links coming from senders whose authenticity and reliability you cannot verify. After the victim has clicked a link in a smishing message and entered a fake site, the means of stealing their information are similar to those of a phishing fraud.

Be also mindful of unprompted messages sent to you on a messaging app like Whats­App and Face­book Messenger. Such plat­forms are another popular tool to lure victims to reveal their sensitive information.

This might sound like you can no longer trust any SMS, instant message or email. Luckily, there’s a fool­proof way to prevent your­self from becoming a victim of a smishing attack. That is: don’t do anything a suspicious message asks you to.

Reading a smishing message alone cannot be used to steal your information. However, clicking a link in a malicious text message or sending your personal or financial details as a response can be used for financial gain, identity theft and many other crimes.

Do you want to protect yourself from smishing attacks?

With over 30 years of experience, F‑Secure sees the online dangers you don’t. To take your anti-phishing and anti-smishing measures to the next level, get F‑Secure TOTAL to keep you safe. TOTAL includes award-winning protection against viruses, ransomware, known phishing web­sites, and many other online threats. It also includes an unlimited VPN and a pass­word manager.

You can try it for free for 30 days, with no credit card required.

Read more