“Smishing”: Understanding Text Scams and Phishing

May 25, 2022

It’s a funny name, but it’s serious business.

Smishing is a combination of SMS (texting) and phishing, where hackers send malicious messages in the hopes of fooling you into giving up sensitive information.

These scams aren’t the province of lone hackers sitting in the dark in their basement either. Today, such tactics are being employed by organized crime and cybercriminals intent on stealing your identity and your money.

While phishing uses email, smishing uses text and it’s become more common than ever. In 2021, some 87.8 billion smishing texts were sent—a 58% increase from the previous years and resulting in $10 billion in estimated losses. In 2022, activity continues to increase. More than 11 billion spam smishing attacks were recorded in March 2022 alone.

How Does Smishing Work?

For years, scammers used the phone to contact potential victims, pretending to be from your local bank, credit card company, or retailer, trying to get you to divulge financial information, account passwords, or personal details such as your social security numbers. As more people stopped answering calls from unknown numbers or blocked spam calls, the scammers switched to text scams.

Examples of Smishing

You may be too smart to fall for those texts that say you’ve won a prize for a contest you never entered, but scammers are increasingly sophisticated in how they work. Here are a few examples of smishing messages that people have fallen for:

  • A message that appears to come from your bank saying they have detected unusual activity and that you need to click on a link to unlock your account.
  • An urgent message claiming to be from your credit card provider saying a fraudulent claim has been identified that you need to resolve.
  • A text asking you to verify that you made a significant purchase through Amazon or another online retailer that you didn’t make.
  • An important notice about a package delivery that needs your attention.

Lately, scammers have also been impersonating government agencies, such as the IRS asking you to verify the information for tax refunds.

Some of the more sophisticated smishing attacks will generate messages using a local phone number or even your own phone number. Scammers may make it appear it comes from your wireless phone provider. They may even leverage personal information that they’ve found on your social media page to add an extra layer of legitimacy and familiarity.

Protecting Yourself from Smishing Attempts

The best way to protect yourself from falling victim to smishing attempts is to ignore any suspicious text messages you get.
Pay particular attention to any text that demands you to take immediate action. Cybercriminals are trying to get you to call them or click on a link quickly before you have time to think about it.

Take these steps to protect yourself from text scams:

  • Don’t click on text links or call the number provided.
  • If you think something might be legitimate, look up the company’s information online yourself and call them.
  • Don’t respond to the smishing attempt. Even sending a STOP message lets the scammers know it’s an active number and may encourage them to send more smishing attempts.
  • Block the number to prevent future calls or texts.
  • Delete the text so you don’t accidentally click on it later.

Even if you don’t respond with information, you can still be at risk if you click on a link. Scammers can launch spyware or malware on your phone that searches for sensitive information. That’s why you shouldn’t save sensitive information on your phone.

You should also back up information regularly and make sure you update your phone’s operating system and browsers to take advantage of new security features. Software companies regularly update their software to help prevent cyberattacks.

You may want to check with your cellphone provider. Many cell phone carriers offer free apps that can block unwanted calls and texts when they originate from numbers known to spam people.

Finally, add your phone number to the national Do Not Call Registry. While it will not stop all cybercriminals, it will cut down on the number of spam calls and texts you get.

Financial Institutions Will Never Ask for Sensitive Information by Text

Legitimate financial institutions will never ask for you to provide account numbers, passwords, or sensitive information by text.
Never share your banking information by text or phone with someone claiming to be from InterBank. If this happens, delete the text immediately and contact us directly.