Take The 2022 Security Operations Trends Survey Today  START 
Skip to main content

Smishing: What It Is, Why It Matters, and How to Protect Yourself

Have you ever received a shady text message?

You know, the ones that ask you to click a random link, then want you to send thousands of dollars or hand over the rights to your firstborn child? If you're lucky, the message was so amateurish that you immediately pegged it as a fake, reported it as spam, and moved on with your day.

However, if you've ever encountered a more sophisticated hacker, who perhaps went through the trouble of learning personal information about you to make the texts sound more legitimate or created a spoofed website that looked exactly like your bank's, that’s a different story. You may have been duped—like millions of others.

There's no shame in that. These hacking attempts are socially engineered to trick you. It can happen to anyone. But by educating yourself on how to identify smishing scams, you can protect yourself and your company from falling victim in the future.

This article breaks down the ins and outs of smishing, what it is, what hackers are after, and how to make sure they don't succeed.

What Is Smishing?

SMS (short messaging service) phishing or “smishing” is a common type of cyberattack where victims receive misleading text messages intended to trick them into sharing personal information, giving money, or downloading malware. The goal of smishing is to fool you into believing the message came from a trusted person or organization, and to convince you to take action that ultimately provides the attacker with exploitable information.

What a Smishing Scheme Typically Looks Like 

1. A cybercriminal sends you a text message, possibly from a spoofed number that makes it seem as though it's coming from a legitimate business, perhaps even one you’re familiar with as a customer.

2. You receive the text message on your phone, or another messaging system. It warns you there is an urgent issue with one of your accounts and asks you to verify information to resolve it.

3. You respond, often by clicking on a link or calling a phone number provided, in an effort to clear up the error

4. You're then directed to a phony website or call center that appears legit.

5. You may be prompted to provide sensitive information or download some type of malware.

6. If you download the malware, you've granted the attacker access to your device. Once they have access, they can use it to spy on you, steal sensitive information, or access your accounts. Any personal information you provide can be used to steal your identity and login to your accounts.

Smishing works so well because nearly everyone with a cell phone can receive texts, and texting is a preferred method of communication by many legitimate financial institutions.

People also tend to be less guarded when it comes to watching for suspicious text messages compared to malicious emails. And because people tend to carry their mobile devices with them at all times, attackers are more likely to take advantage of them in a moment of distraction.

Most cybercriminals engaged in smishing are out to steal your personal data, which they can then leverage to steal money from you or your company. The information may include your:

1.     Social Security Number.

2.     Credit or debit card numbers.

3.     Zip code, which helps them use your card if they already have the number.

4.     Bank name or credit card company, which they can use later in tailored and personalized attacks.

5.     Work login info.

As companies increasingly adopt bring your own device (BYOD) policies and more employees use their personal smartphones for work, smishing has emerged as not only a consumer threat but a business risk as well. All the more so because personal devices tend to lack the same level of security found on corporate PCs.

Social security cards stacked on top of each other. Social security numbers are prime targets in smishing attacks

Smishing vs. Phishing: What's the Difference?

Smishing is a new take on an old trick.

Here's what phishing and smishing have in in common:

  • An attacker sends targeted messages
  • The messages are meant to trick recipients.
  • Individuals are often sent malicious links and encouraged to click through to fraudulent sites.
  • Users may be tricked into downloading a Trojan horse or malware onto their computers.
  • Social engineering techniques are used to gain access to personal information and steal money from victims.

The difference is that with smishing, the attacker sends targeted messages by way of texts instead of messages the “old-fashioned” way, via email, a scam that has been around since the 1990s. For this reason, smishing is also known as "text phishing" or "cell phone phishing."

Hackers also aim to exploit victims from smishing attacks via applications like Skype, Facebook Messenger, WeChat, or iMessage.

A computer keyboard with a credit card on top of it and a hook through the card to symbolize phishing.

The Three Most Prominent Types of Smishing Attacks

Most smishing attacks fall into one of three types. Here's a quick overview of what they attempt to accomplish.

1. Trick You Into Exposing Credentials

Smishers may attempt to con you into revealing your username and password info or other sensitive information they can use to log into one of your online accounts. Bank smishing is among the common in this attack category because the attackers are after your money and like to go directly to the source.

In bank smishing attacks, smishers send you text messages claiming to be from your bank. They may warn you about a large transaction or a new payee added to your account, and provide you with a fraudulent number to call or a link to access so you can halt potentially unlawful access to your funds.

The link, however, directs you to a spoofed website that looks like your bank's and prompts you to give up your username and password. The phone number connects you to the attacker, who tries to manipulate you to reveal your sensitive information verbally. Once they have your credentials, they can log into your account and steal your money.

In this type of attack, you may also receive a text that appears to be from another company you currently do business with, like your wireless provider or a service like PayPal or eBay. The message will claim your account has either expired or been locked due to suspicious activity, and that you must share personal information to reactivate or regain access to it. Again, this gives the attackers the means to steal your identity and take your money.

A computer screen with an error exclamation point and "Malware" written

2. Fool You Into Downloading Malware

In this case, attackers send a link that, once accessed, downloads a malicious app on your phone. These apps are engineered to monitor your keystrokes, give hackers full control of your phone, encrypt the files on your device, hold them for ransom, or steal your identity.

There are many variations on smishing scams. A malicious text can alert you that you've been awarded a gift card, won the lottery, or have the opportunity to cancel your student loan debt. These scenarios take advantage of the financial struggles currently faced by many citizens, preying on their desires to obtain a quick financial win.

Smishing scams also come in the form of alerts from government agencies such as the IRS or the Social Security Administration, prompting you to log in to your account via a spoofed website. Or you could receive a phony text about a package delivery, appearing to come from the U.S. Postal Service, FedEx, or UPS, complete with a fake invoice or cancellation notice for a product or service you allegedly purchased.

In addition, the COVID-19 pandemic has inspired a new crop of coronavirus-related smishing schemes—everything from phony government health updates and warnings that you may have been exposed to the virus, to offers of bogus medical treatments and access to stimulus funds.

3. Dupe You Into Sending Money

An attacker may use personal information about you, whether leaked on and gathered from the dark web or found on legitimate sites, to gain your trust. For example, depending on your privacy settings, someone may be able to glean some of your friends' names from your Facebook profile and then use those names to send text messages apparently from people you may consider your personal friends.

After all, you're much more likely to follow the advice of someone you know. Once trust is established, this person may try to convince you to participate in a money-making "opportunity," where you are required to pay an advance fee  you will supposedly get back with interest. Alternatively, you could be asked to donate to a charitable cause, and the attacker will simply pocket the money.

The Consequences of Smishing

The effects of smishing are vast. On a personal level, attackers can wipe out your bank accounts or deceive you into sending them large sums of money. One attack can spell financial ruin for most people, especially in the current economic climate.

On a macro level, smishing attacks make it more difficult for financial institutions and other service providers to engage in trusted communications with customers via text messaging.

For organizations, an employee exploited by a smishing scheme can instantly open up your network for hackers to hold your data for ransom or steal sensitive information, both from your company and from your customers. This information can then be used to dupe countless other victims into giving up their money and personal information. Vulnerabilities of this magnitude can bring irreparable damage to your reputation, which causes you to lose credibility with your customers, spend countless hours on remediation, and experience potentially millions of dollars in damages.

Four Signs You're Being Smished

Typical examples of smishing include text messages that:

  • Request personal information, such as your login credentials for an online account or your Social Security number.
  • Prompt you to click a link to access a service, resolve a problem, or claim a prize.
  • Ask you to provide information to a government agencyAccording to the FCC, government bodies almost never contact you by phone or text to ask you to provide information.
  • Offer coronavirus-related testing, treatment, or stimulus money, or request personal information to use for contact tracing.

How to Protect Yourself from Smishing

The ubiquity of mobile phone usage, along with the growing number of consumers whose phone numbers were leaked in data breaches, has contributed to the proliferation of smishing. So, bad actors are unlikely to abandon this tactic anytime soon. The good news? The best way to keep yourself safe is to do nothing at all. It's when you take the bait that you find yourself in trouble.

Best Practices to Prevent and Protect Against Smishing

  • Be wary of texts using unnatural or grammatically incorrect language.
  • Be skeptical of offers that seem too good to be true—they usually are.
  • Avoid clicking on embedded links within text messages.
  • Do not download apps directly from a text message. Instead, use the Apple or Google Play app stores.
  • Never respond to texts that appear to come from a government agency.
  • Regard all urgent security alerts and coupon redemptions, offers, or deals as warning signs of a hacking attempt.
  • Do not respond to texts appearing to be from a financial institution or merchant asking you to update your account information or provide personal info.
  • If you get a message that looks to be from a bank or a company with whom you do business with a link or request to provide information, call the business directly. Do not use a phone number provided in the text.
  • Never click a link or call the phone number provided in a message if you're unsure whom it's from.
  • Avoid storing your banking or credit card information on your phone. That way, hackers won't have easy access to it if you do fall victim to malware.
  • If a friend or family member asks you to provide personal information via text, call them instead. After verifying it's actually them, provide the information verbally so that it's not stored on either of your phones.

What Companies Can Do to Prevent Smishing

According to Verizon's 2020 mobile security index, 17 percent of phishing occurs via messaging, and 15 percent of enterprise users encountered a smishing link in Q3 2019.

To help foil smishing attacks, organizations should implement smishing simulations as a part of ongoing security awareness training routines. Such simulations help educate employees on how to identify and react appropriately to these attacks and enable the company's security team to home in on individual users who may be particularly vulnerable and require additional training.

Contact the FTC

If you suspect you've fallen victim to a smishing scam, immediately contact the United States Federal Trade Commission (FTC) to file a complaint. The FTC works to prevent fraudulent, deceptive, and unfair business practices in the marketplace. It also provides information to help consumers spot, stop, and avoid such practices.

Speaking up means doing your part to stop smishing perpetrators from taking advantage of someone else. Once you file a complaint, the FTC will launch a plan to try to catch the perpetrators and bring them to justice.

The FTC's website also offers helpful resources and advice for avoiding smishing scams.

Take Cybersecurity to the Next Level With Arctic Wolf

Smishing is a serious problem that's likely to only get worse. Not only is it a danger to you as a consumer, but it's also a growing threat to your organization.

However, providing employees with proactive education and training goes a long way toward protecting your assets. Additionally, strengthening your overall security posture can ensure that even if someone on your staff falls victim to a smishing scam, attackers are not able to penetrate your network. 

Learn more about how Arctic Wolf reduces both the likelihood and the impact of cyberattacks.