What is smishing?

March 25, 2024
Posted by: Evans Asare

What is smishing? How to spot and avoid an attack.

What is smishing?

Smishing is a type of cyberattack that uses deceptive text messages to trick recipients into providing personal information or clicking malicious links. The term “smishing” is a combination of “SMS,” the technology that enables text messaging, and “phishing,” the type of social engineering attack that aims to trick people into clicking malicious links.

The differences between smishing, phishing, and vishing.

Phishing is a social engineering attack used by scammers and cybercriminals. It’s often carried out via fake emails pretending to be from trusted sources.

Vishing and smishing are types of phishing. Smishing, or SMS phishing, involves sending malicious text messages. Vishing, or voice phishing, is when scammers impersonate professionals over the phone to trick victims into revealing sensitive data or transferring money.

How does smishing work?

Cybercriminals use a combination of malware, malicious links, text threats, and social engineering tactics to carry out smishing attacks. Here are the usual steps of a smishing attack:

A scammer sends out a text message using social engineering tactics to trick you into believing the message is legitimate.
You click on the infected link or provide them with personal information.
The scammer uses your compromised information to carry out further attacks, commit fraud, or even sell the stolen data on the dark web.

Types of smishing attacks.

Smishing text messages can come in many forms, because hackers like to customize their messages to fit their targets. Keep these different kinds of smishing texts on your radar to help ensure the cyber safety of your smartphone and even your Internet of Things (IoT) devices.

1. Delivery and package-tracking:

Package delivery scams are among the most common types of smishing attacks, and are especially prevalent during holidays or major sales events. You might receive a text message supposedly sent by FedEx, USPS, or another reputable mail carrier notifying you about a delivery snag or requesting an update on shipping details. Often, the text is a scam, and the real aim is to trick you into clicking on a harmful link or divulging personal information.

2. Financial services scams:

Financial services smishing scams take advantage of the fact that almost everyone uses banks and credit card companies to manage their finances. These smishing messages pose as legitimate banking institutions to get you to compromise sensitive data like Social Security numbers, addresses, phone numbers, passwords, emails, and more.

3. Confirmation smishing scams:

A confirmation smishing scam uses fake confirmation requests to get you to compromise sensitive information. This could be for an online order, an upcoming appointment, or a bill invoice for business owners. The smishing text may contain a link directing you to a site that asks you to input login credentials or other sensitive data to verify your appointment or purchase.

4. Customer support scams:

Customer support smishing scams send smishing texts posing as any company a person may trust — not just banks or credit card companies. They may pose as a representative from an online business or a retailer, notifying you of an issue with your account. They’ll provide directions to solve the issue, which may include directing you to a fake site infected with spyware.

5. Gift or giveaway scams:

If you’ve ever received a “You’ve won!!” text only to find yourself prizeless, you’re familiar with gift smishing. This type of smishing attack advertises a fake contest giveaway and tries to get you to click a malicious link to claim your prize. If you do tap and end up on their site, your device could get infected with malware.

Examples of smishing attacks:

Learning about real-life smishing examples can help you understand how to avoid them in your everyday life.

Tokyo Olympics, 2020: CYFIRMA detected a smishing campaign targeting Olympics fans by attempting to sell fake event tickets to steal personal and banking information.
United States Postal Service, 2020: The CEO of SlickRockWeb reported a smishing campaign posing as the USPS to trick users into compromising login credentials.
Verizon, 2022: Verizon acknowledged a smishing campaign targeting its users. The smishing text appeared to come from a user’s own phone number, in hopes of them clicking the malicious link attached to the message.
UPS Canada, 2023: UPS experienced a data breach where unauthorized access to their package lookup tool exposed some recipients’ details. UPS warned customers that attackers had targeted some recipients with smishing attacks demanding payment before delivery.

Smishing attack warning signs

These attack warning signs will help you to determine if you’re dealing with smishing spam texts on your mobile device:

Suspicious phone numbers: Smishing messages often come from numbers that don’t follow the typical 10-digit layout or use a series of the same number.
Links and files from unknown numbers: Phishing through text messages often includes deceptive website links with unusual URLs that take you to an unsafe site.
Urgent requests: Scammers frequently employ urgency to frighten their victims. But genuine companies give ample notice about issues, so delete these messages or verify them with the supposed sender.
Money requests: Messages urging online money transfers are likely scams aiming to drain your funds.
Prize notifications: Receiving prize alerts for contests you didn’t enter is a red flag; steer clear of engaging with or clicking any embedded links.

How to avoid smishing scams

Your cell phone is likely one of your most used and trusted devices. Avoid potential smishing scams with the help of these cybersecurity tips:

Never respond: The first rule of smishing prevention is to not engage. Replying to a smishing text confirms that your number is active and may lead to further attacks.
Contact banks and/or retailers directly: Scammers commonly impersonate valid businesses or banks. If a text seems questionable, reach out to the mentioned institution directly to verify it.
Avoid clicking suspicious links or files: The core of a smishing attack is often a malicious link. Avoid clicking these links at all costs. And if you can tell a text is fake when you receive it, delete it immediately.
Inspect new phone numbers: Odd phone numbers may point to a smishing attempt. Be especially careful of numbers that don’t follow the typical 10-digit format.
Never send personal information via text: Never give out personal details, such as passwords, credit card numbers, addresses, or emails via text.
Use two-factor authentication: Even if you get tricked and a password is compromised, two-factor authentication adds an additional protective layer. For example, biometric technology uses a fingerprint or facial recognition to verify your identity.
Download antivirus software: Downloading trusted antivirus software like Norton 360 Deluxe can help keep your device secure by protecting against hacking and blocking malware and other online threats before they infect your device.