How to Stop SMiShing Scams From Robbing You of Sensitive Information

Upset woman looking at her phone
••• valentinrussanov/E+/Getty Images

Most people are familiar with standard phishing scams, where an unsolicited email asks you to provide sensitive information to identity thieves. But thieves continue to change their tactics, and you’re increasingly likely to get text messages in SMiShing scams.

What Is SMiShing?

SMiShing is a scam that involves an approach by text message. You’ll get a text message on your phone or another messaging system asking you to verify information, but the sender is not really who they say they are. Most thieves know better than to ask for your Social Security Number directly; instead, they’ll trick you into replying to an “important” issue with one of your accounts.

Messages might say you’ve signed up for a payment you don’t recognize and that your credit card or bank account will be charged unless you reply to the message. Alternatively, you might get a message saying somebody tried to charge your account, and the security department wants to verify the transaction with you before approving it. Of course, there are no pending charges, and thieves are hoping you’ll respond to clear up the error. As part of that process, they’ll get as much information as they can out of you by asking for:

  • Your Social Security Number
  • Your credit or debit card number
  • Your zip code, which helps them use your card number if they already have it
  • Your bank account number or routing information
  • The name of the bank or credit card you use, which they can use later in spear phishing attacks personalized to you

SMiShing scams might also be designed to infect your mobile device with malware or to encourage you to visit dangerous websites from a desktop computer.

Why SMiShing Works

Con artists use a variety of techniques to trick people into giving out information or clicking on links. SMiShing is not new, but some people are less cautious with text messages than they are with standard phishing scams.

Scamming people with email just isn’t as easy as it used to be. Email service providers are skilled at filtering spam and viruses, and users are accustomed to getting junk email. Plus, people tend to have their mobile devices everywhere they go, and it may be possible to catch them in a busy or distracted moment. Awareness of robocalls means fewer people answer calls. Texting, meanwhile, still has a semblance of intimacy and is a preferred method of legitimate communication by many financial institutions.

The Conundrum

Receiving a text message creates a dilemma for the recipient. On the one hand, it’s tempting to respond and solve any problems before they get out of hand. In a world where your account details and personal information have probably been stolen in a variety of breaches, it may pay to act fast. On the other hand, responding to requests for information can provide the one or two missing details an identity thief needs to start doing damage, making it best to ignore SMiShing messages.

These messages are a form of social engineering, where thieves take advantage of assumptions that victims make and the realities of increasingly busy and noisy lives.

How to Avoid Becoming the Victim of a SMiShing Scam

To protect yourself from SMiShing, use the same caution with text messages and instant messages that you already use with email:

Look at the Source

Check the number that’s sending you messages, but be aware it’s easy for thieves to spoof caller ID and make it look like the message is coming from a different number. For example, they might know what phone number your bank uses and copy that number so you’re less suspicious. If the number is completely unrecognizable, that’s a red flag.

Take Action Separately

If there’s a problem with your account, you have several options for fixing the problem—you don’t have to do it all by responding to that text message. Avoid clicking on links or answering questions if you’re not confident about a request. Instead, contact your bank or credit card company using a number you know is legitimate. For example, use the number on the back of your card or contact customer service while you’re logged in to your account.

Quiz the Sender of the Text

If friends or family ask for personal information, make sure you’re really talking to a loved one. For example, somebody might want your full date of birth or Social Security Number for an insurance application. Before responding, ask a question or use a joke that only the “real” person knows how to respond to. Instead of writing back, call and provide that information verbally so there’s no written record if one of you loses your phone.

Don’t Install Apps

Never install apps from a link in an unexpected text message. Although some apps and operating systems can help to protect you, you don’t want to give untrusted apps access to your device.​