Most of us are on guard for suspicious emails, but cybercriminals have increasingly shifted to a more personal and immediate channel: text messages. This type of attack is known as smishing. Understanding what smishing is—and how to spot it—can help protect both your personal information and University data.

What Is Smishing?

Smishing (a blend of SMS and phishing) is a scam where attackers send fraudulent text messages designed to trick you into taking a risky action. These messages often try to create urgency or fear, so you’ll respond quickly without thinking.

For example, you may receive a text that looks like it’s from your manager:

“Hi, I’m tied up in meetings. Can you quickly buy a few gift cards and text me the codes? I’ll reimburse you.”

This is a classic smishing scam. Attackers impersonate managers or executives to pressure employees into acting quickly.

A smishing message may also ask you to:

• Click a malicious link
• Call a fake support number
• Share sensitive information such as passwords, PINs, or onetime codes
• Download a harmful app

How to Protect Yourself

• Be suspicious of urgent or unusual requests sent by text.
• Never buy gift cards, share passwords, or send codes based on a text message.
• Verify requests through another channel (call, Teams message, or email you know is legitimate).
• Don’t click links in unexpected texts.
• Select “Delete and report as spam” to discard the text message.

When in doubt, slow down and verify. A quick check can prevent a costly mistake.

— Chris Mielke, ITS