Smishing attacks use short message service (SMS), more commonly known as text messages, to manipulate people into turning over sensitive data. Like phishing emails, smishing texts are social-engineering scams pretending to come from a trusted source and urging action to secure a benefit, resolve a problem, or avert a threat.

This form of attack has become increasingly popular because people are more likely to trust a text message on their phone than from a message delivered via email. According to RoboKiller, a company that provides call-blocking and other phone security services, bad actors sent over 87.8 billion fraudulent texts in 2021 – up 58% from the previous year. The company estimates those phishy messages cost consumers nearly $10.1 billion.

Variations of smishing abound. A scam text might say you’ve won a gift card or promise a break on a student loan. Other texts may appear to be alerts from a government agency such as the IRS or link to a phony invoice or cancellation notice for a product or service you supposedly bought. Many smishing messages warn of package delivery issues from Amazon, FedEx, UPS or the United States Postal Service.

In more targeted attacks, a text message may appear to come from your boss, or a top-level executive within your organization. The text will report some type of action that needs to be taken immediately as a favor to them or to avoid some type of crisis at the company.

Warning Signs

• A text message requests personal information, such as your Social Security number or an online account password.
• The message asks you to click a link to resolve a problem, win a prize or access a service.
• The message claims to be from a government agency. Government bodies almost never initiate contact with someone by phone or text, according to the FCC.
• The text requires immediate action from someone in your company that has been sent from an unknown phone number.

How to protect yourself

• Contact the person, company, or organization that supposedly sent the text using a phone number or website you know to be legitimate
• Forward spam and scam texts to 7726 (SPAM), the spam reporting service run by the mobile industry. This sends the text to your carrier so it can investigate. Here is a guide to the process.
• Don’t provide personal or financial data in response to an unsolicited text or at a website the message links to.
• Don’t click on links in suspicious texts. They could install malware on your device or take you to a site that does the same.
• Don’t reply, even if the message says “text STOP” to avoid more messages. That simply confirms your number is active so it can be sold to other bad actors.
• Don’t assume a text is legitimate because it comes from a familiar phone number or area code. Spammers use caller ID spoofing to make it appear the text is from a trusted or local source.

Please be wary of any attempts to obtain sensitive data via text, email, messaging apps, or unsolicited phone calls. ITS will continue to simulate phishing and assign training to those most susceptible. If you believe you’ve been targeted by phishing, see Reporting a Phishing Message (How-to).

— Chris Mielke, ITS