Executive Online Protection

“Smishing:” When Phishing Moves from Email to Phone

Smishing Attacks

When you think about phishing attacks, your mind probably goes right to your email inbox. We’ve all encountered emails asking for login credentials, personal information, and even money.

But while you may have your guard up for those phony emails, cybercriminals have found other ways to conduct phishing attacks, including one that targets you while you are on your phone.

Cybercriminals have ramped up sending spam text messages to unsuspecting targets – a tactic known as “smishing.”

“Smishing” campaigns share many of the same hallmarks as email phishing campaigns and cybercriminals are sending them at an incredibly rapid rate.

According to EarthWeb, more than 3.5 billion phone users receive spam text messages daily. Additionally, more than 378 million spam text messages were sent daily in April 2022 alone. In addition, the average American receives nearly 41 spam texts per month. With such a vast volume of spam text messages out there, it’s important to know when you may be facing a potential “smishing” attack, and what you should do when one pops up on your phone.

Spotting “smishing” attacks

“Smishing” attacks share many of the same traits as traditional email phishing attacks. The text messages will attempt to make an emotional connection to the intended victims. Perhaps they will convey a sense of urgency to pay a bill or reactivate a service. Another attempt might tell a person that they won a contest and need to click on a link to claim their prize. 

The sender will make the message appear as though it’s coming from a reliable source, such as a bank or other trusted institutions. This is an important distinction from other spam texts you may receive. A spam text message does not attempt to disguise itself as a trusted source. For it to be a “smishing” attack, the text message needs to appear as though it’s coming from someone you trust.

A newer wrinkle to this tactic is that the text messages sometimes appear to have been sent from your own phone number. This adds a layer of subterfuge to the attack.

Either way, the cybercriminal will try to get their target to click on a link found within the text. Cybercriminals hope that you will click on these links and either enter your personal information or trigger a malware download. The text may even contain a phone number for you to call. Talking to a person over the phone may enhance the believability of the scheme, making it more likely that the cybercriminal will get whatever it is they are after.

That’s why you need to be cautious of any text message that wants you to take immediate action to remedy a problem. No reputable organization will ever ask you for login credentials or personal information via text message under any circumstances. Be on the lookout for messages with poor grammar and spelling mistakes as well.

What to do when facing a “smishing” text

If you receive a suspicious text message, be sure to do (or not do) the following:

  • Never click on any links and do not call any phone numbers listed in the message.
  • Do not reply to the sender, even if you know they are a scammer.
  • Forward all spam messages to your mobile carrier by sending them to 7726.
  • You can also report them to the FTC.
  • Block the sender once you have forwarded the message.
  • Adjust the spam filtering features on your phone

You can also download apps that block spam texts, but be careful, they may filter legitimate text messages containing login and verification codes.

Since spam text messages are sent at the carrier level, cybercriminals will continue their “smishing” campaigns until mobile carriers take action. Until that day comes, the best course of action to fight back against “smishing” is to play it safe and take all the steps necessary to minimize your risk. 

Spam text messages are a nuisance, but luckily it only takes a few minutes to stop the scammers in their tracks.