The word “smishing” comes from combining “SMS” — for short message service, the technology behind texting — with “phishing,” the practice of stealing personal or financial information through deceptive communications, primarily emails. Basically, it's phishing by another means, namely text messages on mobile devices.
Like phishing emails, smishing texts are social-engineering scams that aim to manipulate victims into turning over sensitive data such as Social Security numbers, credit card numbers and account passwords or providing access to a business's computer system. They rely on persuading you that the sender is a familiar or trusted source and that urgent action is needed to secure a benefit, resolve a problem or avert a threat.
For example, you might get what looks like a text from a company you do business with, such as your bank, a mobile provider, or a tech service like Netflix or PayPal. It claims your account has expired or been locked on some pretext, maybe suspicious activity, and you need to provide personal information or click on a link to reactivate it. That gives the scammers means to steal your money or identity or to infect your device with malware.
Variations are abundant. A scam text might say you've won a lottery prize or a gift card, or promise a break on student loan debt. It could look like an alert from a government agency such as Social Security or the IRS, or a message from FedEx or the U.S. Postal Service about a package delivery. It may link to a phony invoice or cancellation notice for a product or service you supposedly bought.
The coronavirus pandemic has unleashed a raft of new schemes, according to the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC). Scam texts offer bogus treatments, stimulus funds, supposed government health updates or warnings that you've been exposed to the virus.
While phishing remains far more prevalent, smishing carries some advantages for scammers. According to a 2019 survey from Zipwhip, a company that makes texting software for business, people are far more likely to read and quickly respond to text messages than to emails. And the 2020 State of the Phish study from cybersecurity firm Proofpoint found that relatively few people know what smishing is compared to related scam tools like phishing and malware.
"Because text messages can feel more personal than emails, users can be more vulnerable to smishing if they are not made aware of the dangers,” Proofpoint said.
- A text message requests personal information, such as your Social Security number or an online account password.
- The message asks you to click a link to resolve a problem, win a prize or access a service.
- The message claims to be from a government agency. Government bodies almost never initiate contact with someone by phone or text, according to the FCC.
- The text offers coronavirus-related testing, treatment or financial aid, or requests personal data for contact tracing.
- Do contact the company or organization that supposedly sent the text, using a phone number or website you know to be legitimate, if you think it might concern a genuine problem.
- Do forward spam and scam texts to 7726 (SPAM), the spam reporting service run by the mobile industry. This sends the text to your carrier so it can investigate. Cybersecurity company Norton has a guide to the process.
- Do consider using tools that filter or block unwanted messages or unknown senders:
- Your mobile device may have built-in spam protection. Check the settings on its messaging app.
- Most major wireless carriers offer call-blocking services.
- Some call-blocking apps (see “More Resources” below) also filter out junk texts.
- Don't provide personal or financial data in response to an unsolicited text or at a website the message links to.
- Don't click on links in suspicious texts. They could install malware on your device or take you to a site that does the same.
- Don't reply, even if the message says you can “text STOP” to avoid more messages. That tells the scammer or spammer your number is active and can be sold to other bad actors.
- Don't assume a text is legitimate because it comes from a familiar phone number or area code. Spammers use caller ID spoofing to make it appear the text is from a trusted or local source.
Published October 16, 2020
About the Fraud Watch Network
Whether you have been personally affected by scams or fraud or are interested in learning more, the AARP Fraud Watch Network advocates on your behalf and equips you with the knowledge you need to feel more informed and confidently spot and avoid scams.
More From the Fraud Resource Center