Phishing Text Messages: A Guide to “Smishing”

Written By: Security.org Team | Published: November 20, 2023

When we get a text message to our phone, we don’t read it with the same level of scrutiny as an email. Most of us think an actual phone number gives some legitimacy to a text, at least more legitimacy than “Dave12341234@hotmail.com.” Well, scammers are starting to use that to their advantage with a new type of phishing through SMS text messages known as smishing.

These scammers spoof a phone number to make texts look like they’re coming from legitimate, trustworthy, or familiar sources.¹ They try to get you to give over personal information like login credentials or personal details they can use to steal from you.²

FYI: You can usually count on the Social Security Administration, Internal Revenue Service, Medicare, and other governmental bodies to contact you with important account information via snail mail.⁴ So, if you get a text from a government agency, it’s usually safe to assume it’s a smishing message.

Well, our cybersecurity experts are here to help you navigate this new form of scamming. With over 300,000 people falling victim to phishing, it’s safe to assume smishing accounts for a decent amount of those cases. So, make sure you don’t become a part of that statistic by using our expert advice to stay safe.

What is Smishing (SMS Phishing)?

Smishing is the text message version of phishing. When smishing, cybercriminals send harmful links via text message that ask you to provide secure information. Phishers throw out “bait” by making enticing offers, threatening you, or offering to help you with something. When you take the bait, phishers may be able to hack malware into your phone or extract your private information out of it.

Phishing has been around since the mid-1990s (an AOL scandal was the first known instance). In the early 2000s, scammers often posed as major companies like eBay or PayPal, soliciting passwords or updated payment information.⁵ But it was still more of a dragnet operation than a spearfishing one. As data mining and personal information harvesting have become more sophisticated, phish attack vectors have expanded to include social media, direct messaging apps, and SMS text messaging.

>>Related reading: Is eBay Safe?

Who is At Risk of Getting a Smish?

In 2023, more than two-thirds of the world's population uses a mobile phone. That is about 5.56 billion people. So many factors influence your day-to-day decisions, including what you click (or don’t click) on your phone. Almost everyone is a potential SMS phishing victim at some point because we can’t always prepare for vulnerabilities like poor technological fluency and high stress levels.

A few factors that make you more vulnerable to phishing include:

Age.18-25-year-olds are more susceptible to phishing than other age groups because they tend to place more trust in online communication methods; people in this age group also have lower impulse control than other age groups.
Gender. Men are also more likely to be baited by smishers than women.
Low discomfort tolerance. People with higher curiosity, urgency, and stress levels are more likely to be victims of text scams.⁶

SMS phishing is clever because it uses your psychology against you. You rely on shortcuts called “heuristics” to help you make decisions without too much forethought, and scammers are well-practiced at exploiting these tricks. For example, people tend to defer to authority figures; they also don't want to miss out on things that are free or in high demand (colloquially known as FOMO, or fear of missing out).

Higher education level seems to be a protective factor against SMS phishing. But simply being aware of it and knowing to pause before acting on a strange message is hugely beneficial, too.

How To Identify Scam Text Messages

Phishers are out there, but you don’t have to take their bait! Educating yourself on SMS phishing is the best thing you can do to prevent phishing from jeopardizing your safety and security.

So, before you open any new messages or click any unfamiliar links, pauseand give yourself a moment to scan for a few important clues.

Here are some examples of common smishing text messages:

Telltale signs of phishy texts include:

Poor spelling and grammar. Look for misspelled or missing words, oddly phrased sentences, poor grammar, and weird spacing. This is a quick and easy way to identify a smish.
Suspicious links. URLs with strange combinations of letters and numbers that don’t include standard features like HTTPS:// or .com/.org/.gov are usually not trustworthy and should be vetted more thoroughly.
Urgent action is required. Many phishers will threaten punitive action if you don’t click on the link now. But remember: legitimate banks, government agencies, and major corporations will never communicate with you this way.
Wrong number of digits.SMS text messages generally come from 10-digit numbers. However, some marketing and political messages come from a five- or six-digit shortcode (you can check https://usshortcodedirectory.com to ensure the one you received is legit). Something from an 11-digit phone number is likely to be a scam.
The message doesn’t apply to you. This message is probably a scam if you didn’t order a package or enter a contest recently. Most delivery updates will come via email and so will prize notifications.

How to Avoid Text Messaging Scams

Allowing yourself a moment to evaluate suspicious text messages for signs of phishingwhen you get a text is a great way to protect yourself from text messaging scams.

Here are some added layers of protection against SMS phishing:

Filtering. There are settings for both iPhones and Androids that allow you to toggle a spam protection option.

For iPhone: go to Settings > select Messages > filter unknown senders.
For Android: go to Messaging app > tap the upper right three dots > choose settings > select spam protection.

Not replying. When you get a text that says “reply STOP”, DO NOT REPLY! When you reply to a smish, it confirms your phone number is valid. Phishers can then sell your number to other scammers.
Reporting to your phone carrier. Copy and paste the body of the message to 7726 (S-P-A-M) so your phone carrier can investigate.
Blocking. Blocking individual numbers is a good option to use if you frequently get spam from the same number. Unfortunately, many phishers use a different number each time, which could make this ineffective.
Text-blocking apps. Apps like Robokiller help filter suspicious SMS messages, but they often aren’t free.⁷

Should I Report Phishing or Smishing?

If you believe you’ve been SMS phished, you can (and should) report it. Phishers cast a wide net when they attempt to defraud people. If you received a smish message, it's likely that you weren't the only potential victim. Reporting it protects other smartphone users from being scammed, too.

A good rule of thumb with suspicious messages: if you’re not confident right away that what you’re looking at is a realmessage or from an actual sender, presume it’s a scam and react accordingly. A quick Google search should give you a verifiable email and/or phone number to contact the institution the phisher is impersonating.

Here’s how you can report SMS phishing:

Let the FTC know. They have helpful news, forms, and videos about phishing messages (https://www.ftc.gov) for reference and a simple form to use when you’re ready to report. (https://reportfraud.ftc.gov)
Text S-P-A-M (7726) to your phone carrier so they can investigate. (It won’t count against your plan!) https://www.verizon.com/about/account-security/smishing-and-spam-text-messages
The USPS has its own Inspection Service site if you get a smish of the package/parcel variety. https://www.uspis.gov/news/scam-article/smishing-package-tracking-text-scams

Final Thoughts

Smishing is basically phishing done via text messaging or SMS. Cybercriminals use a few different techniques to scam people, making them think theyre receiving legitimate texts from real sources. Because smishing is a bit of a newer scam and so many are glued to their phone, it can trick many people into disclosing their information or clicking on bad links.

You can spot smishing by looking out for messages with urgent asks, poor grammar, and suspicious links or URLs. Recognizing these signs can help you stay vigilant and protected against these cybercriminals.

A few other things you can do to safeguard your information includes enabling spam filters, reporting smishing attempts, never disclosing personal information via text, blocking unknown numbers, and using text blocking apps. Remember, awareness and caution can help you mitigate any risk of smishing.

Phishing Text Messages: A Guide to “Smishing” | Security.org (2024)