Smishing, or SMS phishing, occurs when a scammer uses text messages to deceive victims into clicking malicious links or giving up sensitive information. Smishing often uses text messages that impersonate trusted organizations, such as the post office or the Social Security Administration.
By tricking you into engaging with links or downloads, scammers aim to steal personal data, such as Social Security numbers, usernames and passwords, credit card numbers, and bank account information.
How does smishing work?
Smishing works by sending text messages containing malicious links the victim is encouraged to open. When the victim clicks the link, malware may be downloaded to their device, or they may be directed to a login or billing screen.
The fraudster can then capture the victim’s login credentials, financial information or personal data. All of this information can ultimately be used for identity theft.
Smishing scams often rely on social engineering—that is, psychological tricks that create excitement, urgency or fear to get victims to act quickly. For example, scammers may promise prizes or warn of financial or legal trouble to coerce you to act.
Examples of smishing scams
Smishing is used with a variety of scams, but the ultimate goal remains the same: to steal your information. Here are some common smishing tactics to know about.
- Bank impersonation texts: These are scam texts that pose as messages from your bank. You may be asked to click a link to provide account details, such as account number, password, or security code to “verify” your identity and expose sensitive information.
- Fake prize or gift texts: Sometimes called sweepstakes scams, these ask you to click on a link to claim a free prize. But, once you do, you may be prompted to pay a fee to collect your prize or to send financial information—which then results in fraudulent charges to your credit card or bank account.
- Delivery notification scams: Fraudsters send tracking numbers or delivery failure notification alerts supposedly from trusted shippers, such as FedEx, UPS or the U.S. Postal Service. Clicking the link to “track your package” or “confirm your shipment” leads you to a page where you’re prompted to pay a fee or enter your sensitive information.
How to avoid smishing
Pause before you act. Scammers turn up the emotional heat to pressure you to act quickly. They create urgency by insisting that time is running out, or by threatening you with severe consequences if you don’t act now.
Don’t interact. If you receive a message from a sender you don’t know, or who you suspect may be an imposter, don’t respond. If you believe the text could be from a sender that has a legitimate reason to contact you, check the company’s website or call them directly using a verified phone number.
Avoid clicking any links. Smishing texts may include links that could infect your device with malware or to lead you to enter your information into convincing website spoofs that masquerade as sites you trust.
Keep your devices secure. Keep your cellphone safe from hackers by keeping your software up to date. Phone operating systems such as Android and iOS regularly receive patches designed to close up security holes, so neglecting to install updates can leave you vulnerable to cyberattacks. You should also routinely run antivirus software.
What to do if you’re a victim of smishing
If you’ve given a scammer your information or clicked on a suspicious link, act quickly to minimize harm.
Secure your devices. If you believe your device is compromised with malware, take steps to remove it. Ensure that your security software is updated on your cellphone or personal computer and then run a virus scan.
Secure your accounts. Create new passwords for any accounts compromised in a smishing attack. Make sure to use unique, strong passwords for each account and consider storing them in a secure password manager.
Report it. If a scammer has your financial information, contact the impacted financial institutions (such as your credit card issuer or bank) to report that your information has been stolen. You can also report the fraud to the Federal Trade Commission (FTC) at ReportFraud.ftc.gov.
Add a fraud alert to your credit reports. If sensitive information such as your Social Security number has been exposed, you could be at risk of credit fraud. A fraud alert instructs lenders to take additional steps to verify your identity before processing new credit applications in your name.
For more information on security, see the following articles: