See How to Stop SMiShing Scams From Stealing Information

Cropped Hands Typing On Mobile Phone In Dark
Janis Engel / EyeEm / Getty Images

Most people are familiar with standard phishing scams, where an unsolicited email asks you to provide sensitive information to identity thieves. But thieves continue to change their tactics, and you’re increasingly likely to get text messages in SMiShing scams.

What is SMiShing?

SMiShing scams are scams that involve an approach by text message. You’ll get a text message on your phone or another messaging system asking for you to verify information, but the sender is not really who they say they are.

Most thieves know better than to ask for your Social Security Number directly—instead, they’ll trick you into replying to an “important” issue with one of your accounts.

Messages might say that you’ve signed up for a payment that you don’t recognize and that your credit card or bank account will be charged unless you reply to the message. Alternatively, you might get a message saying that somebody tried to charge your account, and the security department wants to verify the transaction with you before approving it. Of course, there are no pending charges, and thieves are hoping you’ll respond to clear up the error. As part of that process, they’ll get as much information as they can out of you by asking for:

  • Your Social Security Number
  • Your credit or debit card number
  • Your zip code (which helps them use your card number, which they might already have)
  • Your bank account number or routing information
  • The name of the bank or credit card you use, which they can use later in spear phishing attacks or other attempts

SMiShing scams might also be designed to infect your mobile device with malware or to encourage you to visit dangerous websites from a desktop computer.

Why SMiShing Works

Con artists use a variety of techniques to trick people into giving out information or clicking on links.

SMiShing is not new, but some people are less cautious with text messages than they are with standard phishing scams.

Scamming people with email just isn’t as easy as it used to be. Email service providers are skilled at filtering spam and viruses, and users are accustomed to getting junk email. Plus, people tend to have their mobile devices everywhere they go, and it may be possible to catch them in a busy or distracted moment. Although robocalls are on the rise, many think of their phone numbers as “private” and assume that anybody using the number actually knows them.

The conundrum: Receiving a text message creates a dilemma for the recipient. On the one hand, it’s tempting to respond and solve any problems before they get out of hand. In a world where your account details and personal information have probably been stolen in a variety of breaches, it may pay to act fast. On the other hand, responding to requests for information can provide the one or two missing details that an identity thief needs to start doing damage, and it would be best to ignore SMiShing messages.

These messages are a form of social engineering, where thieves take advantage of assumptions that victims make and the realities of increasingly busy and noisy lives.

How to Avoid Problems

To protect yourself from SMiShing, use the same caution with text messages and instant messages that you already use with email.

Look at the source: Check the number that’s sending you messages, but be aware that it’s easy for thieves to spoof caller ID and make it look like the message is coming from a different number. For example, they might know what phone number your bank uses and copy that number so you’re less suspicious. If the number is completely unrecognizable, that’s a red flag.

Take action separately: If there’s a problem with your account, you have several options for fixing the problem—you don’t have to do it all by responding to that text message. Avoid clicking on links or answering questions if you’re not confident about a request. Instead, contact your bank or credit card company using a number that you know is legitimate.

For example, use the number on the back of your card or contact customer service while you’re logged in to your account.

Pop quiz: If friends or family ask for personal information, make sure you’re really talking to a loved one. For example, somebody might want your full date of birth or Social Security Number for an insurance application. Before responding, ask a question or use a joke that only the “real” person knows how to respond to. Instead of writing back, call and provide that information verbally so there’s no written record if one of you loses your phone.

Don’t install apps: Never install apps from a link in an unexpected text message. Although some apps and operating systems can help to protect you, you don’t want to give untrusted apps access to your device.​