Smishing is a type of phishing attack that uses text messages instead of emails to try and steal your personal information.
Just like with regular phishing attacks, smishing scams are becoming more and more common.
If you’re not sure how to protect yourself against smishing, don’t worry!
In this blog post, we will teach you everything you need to know about smishing attacks and how to protect yourself from them.
How Does Smishing Work?
Smishing is similar to phishing in that it involves sending fraudulent messages under the guise of a trusted organisation.
The term smishing is short for “SMS phishing.” It combines “SMS” (“short message service,” or “texting”) with “phishing;” a phishing scam that operates through text messages.
The objective of these messages is for recipients to follow a link, which will lead them to compromising data.
It’s worth noting here that even though messages are generally delivered via text message, they can also be received on instant messaging systems like WhatsApp or social media.
Typically, smishing attacks will often look like:
- Alerts from your bank. For example a notification of a new payment or a warning that you’ve entered an overdraft
- Account suspensions. Usually these messages claim to have detected suspicious activity and have suspended your account. Whilst they can imitate any number of organisations, PayPal and Amazon are by far the most common here
- The government. Such as notifications from tax offices or that you’re eligible to apply for a refund
- Competitions and giveaways. Scammers will claim that the recipient has won (or has the chance to win) a prize.
In all of these scams, the goal is for the receiver to click on a link that acts as a replica of a real company’s website.
From here, you’ll be required to give your login credentials and, in some cases, additional information such as your bank details.
How to Protect Yourself From Smishing Attacks
Here are our top 5 tips to avoid falling for a scammer’s tricks:
Don’t Assume It’s Genuine
There is a misconception that scams have poor spelling and grammar.
Although this is sometimes the case, many communications are meticulously crafted to seem exactly like the real thing.
And because text messages are shorter than emails and don’t require special formatting, they’re considerably easier to accomplish with smishing.
So just because the message appears to have been sent by a genuine person, don’t assume it has.
Check the Link Attached
You might be familiar with the advice to look out for domains that differ slightly from their genuine counterparts, such as those that use a capital “I” in place of a lowercase “l.”, when it comes to phishing.
However, this can be quite difficult when spotting links with smishing for two reasons:
- First, as texts are designed to be short, you rarely see the full linked address in the message. Most likely, you’ll see a hyperlink with a piece of text like “follow this link”. Luckily, there is a way to see the destination address without having to visit the website – hold the link instead of tapping it, and a pop-up will appear showing you the destination address – review the domain and determine if it’s suspicious.
- Second, many services (both legit and fake) use link shortening platforms such as bit.ly. This allows domains to be shortened for businesses using platforms with character limits, like texts or social media. To spot whether it will take you to a “real” website, hold the link as before and copy it. Then paste it into your browser and include a ‘+’ to see a preview of the website and review the content to see if it looks phoney.
Never Give Out Your Personal Information
The most effective approach to avoid scams is to never give personal information in response to an unsolicited message.
Scammers are looking for this information in order to capture it, so if you just ignore their demands, you can rest confident that no harm will come to you.
Of course, you leave yourself open to the possibility of disregarding a real message if you do that.
However, if it’s critical enough, you may assume that the organisation will contact you again – especially by another channel (such as email or phone).
Visit The Real Organisation’s Website
If you have a profile with the program or service that appears to be contacting you through text, we recommend logging in manually by entering the company’s address into your web browser.
If the message appears to be real, you should receive a notification with the same content, which indicates that it is genuine; it’s likely a scam if you don’t see a notification.
Contact The Organisation Using a Trusted Phone Number
One of the most surefire techniques to determine whether a communication is genuine is to call and enquire.
If the text’s claim is true, someone on the other end of the line will be able to validate it and also assist you with whatever problem the message addresses.
You must also make sure you use a reputable phone number if you decide to go down this route. Don’t just call the number that you received the text from. It will only take you to the person who originated the message, which may be a scammer.
It’s simple to discover a suitable phone number. For example, if the message is about your bank account, there should be a phone number when you log into your online banking.
Likewise, for messages from the government, look for a phone number on a previous correspondence, such as a letter or email
What Should You Do If You Clicked a Scam Link?
If you believe you’ve already clicked a fraudulent link or supplied sensitive information, act immediately.
Change all of the passwords linked to the information you shared out first, then notify the organisation you thought you were texting with about what happened.
Also, be sure your phone has been malware checked to verify no malicious software was downloaded onto it as a result of the link; two excellent antivirus programs are Malwarebytes and Avast Antivirus.
Finally, if you supplied bank or credit card information to someone, contact the bank or credit card company immediately to report suspected fraud and cancel the account.