What are ‘smishing’ attacks, and how to avoid them

Tips & tricks
3 mins
Text message hooked by a fishing rod.

As if preventing phishing attacks in your email inbox wasn’t enough, you also have to look out for the SMS messages you receive on your phone.

Is that text really from my bank? Is the government asking for my social security number over SMS? Have I really just won a million dollars?

Here’s how you can tell.

What is smishing?

“Smishing” is a portmanteau of “SMS”—the short message service that’s built into your phone—and “phishing,” the practice of cybercriminals tricking message recipients to share personal information or login details with someone they think they can trust, like the bank, a government body, or even a friend.

How does smishing work?

As with most phishing attacks, deception plays a key role in the success of the attack. Through social engineering, smishing attackers manipulate a victim’s decision-making by doing three things:

  1. Gaining trust: Cybercriminals lower their target’s skepticism by posing as a legitimate organization, and the very personal medium of SMS texts can also lower defenses to these threats.
  2. Adding context: Using a specific situation, like a public data breach, could give attackers an effective disguise that convinces the target of the personal relevance of the message, overriding any suspicion that it could be a phishing attack.
  3. Targeting emotions: Building in a sense of urgency in a message—like a time limit to change your password before your account gets locked—is a common tactic used to push the target into action without thinking too much about it.

The action typically requires you tapping open a URL link in the message, where you’re then led to fill out private information that would then allow phishers to gain access to your bank account, for example. A prompt to download a fishy app is also possible.

Read more: Before you download: Is that app a scam?

They could be executed in a typical scattergun approach, where scammers have a list of phone numbers retrieved in a data breach and are sending blanket texts to all of them, or there’s a specific target in mind, with the intention of infiltrating a company, university, or government organization.

A smishing scheme is successful when the attacker receives the private information they aimed to get. Once received, they can steal directly from a bank account, open new credit cards, commit identity fraud, and leak private corporate or government data.

These cybercriminals can hide their true identity by spoofing their number: hiding their real number behind a false one. Attackers can also use disposable, or “burner,” phones to mask their location and identity. Email-to-text services are another way to hide numbers—if you’ve received an SMS from an e-mail address, keep this in mind.

4 signs of a possible smishing scam

There are a few things you can look out for when you get a strange SMS text:

  1. Does the SMS request personal information, like your ID card number or online account passwords?
  2. Is there a link in the text that lets you access a service, win a prize, or solve a problem?
  3. Where is the text coming from? In the U.S., government bodies rarely contact someone over text, especially to ask for private information.
  4. Is the text offering a paid service that should be free, like coronavirus testing, vaccine bookings, or financial aid?

If the message fits any of the criteria above, then there is at least reason to suspect that the text message could be a phishing scam.

How to prevent smishing

If you receive plenty of SMS messages and are not sure if the message is legitimate or not:

  • Do contact the company or organization that supposedly sent the text. Check their website for the official phone number or email to contact them if you believe the text message relates to a genuine problem you have.
  • Don’t provide any personal or financial information directly via text, or through the website linked in the message, even if it looks like it comes from a legitimate source. Refrain from clicking on the URL, as that could trigger malware installation, and don’t reply to the message, as that signals an active number that can be used for other scams.

Consider blocking junk calls with an app, and if there’s an option with your phone carrier, request blocking numbers that you know to be scams. Read more about how to stop robo-calls and spam calls.

Ceinwen focused on digital privacy, censorship, and surveillance, and has interviewed leading figures in tech.