Cybercriminals are always adapting to create new ways to “phish” for your personal information. When tried-and-true methods get a little too easy to spot, they shift their approach. Since text messages usually come from trusted friends, family or companies, texting can be an effective method to execute a variety of scams.
What is smishing?
Smishing (a combination of "SMS" and "phishing") is a type of cyberattack where criminals send fraudulent text messages to trick you into sharing sensitive data. Their goal is typically to steal your:
Usernames and passwords
Two-factor authentication, like one-time security passcodes
Credit or debit card numbers
Social Security numbers
In the past, these messages were often easy to spot due to poor grammar or generic greetings. Today, scammers use artificial intelligence (AI) to craft highly convincing, personalized messages that can perfectly mimic the "tone" of a reputable company, a government agency, or even someone you know. A scammer could also make the message seem like an accidental text like, “Want to get dinner tonight?” to prompt a response.
Read more: Suspect you’re being targeted by a cybercriminal? Here’s how to report it
Creating urgency: Watch for these smishing tactics
Smishing scams usually try to capture your attention with time-sensitive alerts, creating a sense of urgency in an attempt to overcome your better judgment. Scammers want to trigger an emotional response—fear, excitement or panic—so you act before you think. Common examples include:
The "account lockout" scare: This is when you receive a notification claiming your account has been suspended due to "suspicious activity," requiring an immediate link-click to verify your identity.
“Business leadership” text: If you use your personal phone for work, be wary of "executive impersonation." A scammer may pretend to be a senior leader at your company, asking for a "quick favor," such as purchasing gift cards or transferring funds for a "confidential project."
"Quishing" (QR code scams): Instead of a link, the text may contain a QR code for a "package delivery" or "missed payment." Scanning these codes can lead you to a malicious website designed to harvest your login credentials.
Large group chats with unknown numbers: If you find yourself on a group chat with strangers, this could be a red flag. These messages could come in the form of job opportunities, promotional sales, “accidental” texts and more.
Keep tabs on these more subtle red flags
Smishing scams can also take a number of more discreet approaches and are often difficult to detect, even if you feel well-equipped to spot them. What starts as a seemingly innocent text exchange could be a plan to build trust to capture your personal information. If you receive a text message related to one of the following topics, stay alert:
Investment opportunities, especially for cryptocurrency
Requests for passcodes
Romance scams
Fake two-factor authorization confirmations
Giveaways, rewards or prize offers
Invoices or order confirmations for purchases you didn’t make
Stop smishing in its tracks
You can help readily protect yourself against smishing scams by remembering to:
1. Beware of payment requests
Ask yourself if it’s typical for this company, service or person to send you a text message. If you didn’t sign up for alerts or they aren’t in your contacts, think twice.
2. Pause before responding
If you’re in a rush, you could miss the potential warning signs of a cyberattack. Even if a scam text requests you take action, it can be best to wait before texting back.
If something seems off or you have any doubts about who sent the message, your best defense is to not respond.
3. Look closely at the text
Be sure to confirm the details, as mistakes in a text message can alert you to a fraud attempt. Common signs include the sender not having the correct amount of digits in their number, words being misspelled or the link URL not matching the alleged source of the text.
4. Do not respond
If something seems off or you have any doubts about who sent the message, your best defense is to not respond. Any engagement, even a question or irrelevant response, can demonstrate to cybercriminals that you are a more desirable target. If you’re worried about the contents of the message, move on and confirm its validity in other ways.
5. Fact-check separately
If the text appears legitimate, but you still aren’t 100% sure, try to verify its authenticity. Research the alleged sender to find their website and contact information as opposed to responding to the suspicious text. Or log in directly to your account using their official website or app to view your payment status. Always be cautious, double-check requests and use these tips when handling suspicious messages.
Stay one step ahead
Cybercriminals often switch up their strategies, but you can spot their newest tactics by remaining attentive, verifying the details and staying informed.
Helping you maintain the security of your personal and financial information is one of our top priorities. For other ways to enhance your online safety, visit our Security Center.
