SMS fraud is less common than email. However, because of this, many businesses and individuals do not take the threat seriously. As more transactions and business is conducted through mobile phones, awareness, and protection against SMS phishing needs to improve.
What Is Smishing?
SMS phishing, also known as smishing, uses deceptive text messages to obtain your personal messages for the purpose of defrauding you. Much like with email phishing, fraudsters may attempt to get a reply from you providing your information or trick you into downloading malware or visiting a malicious website.
While most of us can spot a scam email with ease and know the importance of protecting our PC with anti-malware, many mobile devices go completely unprotected. SMS phishing attempts are becoming increasingly common because of this lack of awareness in mobile security.
SMS Phishing Statistics
A 2020 survey on phishing by Proofpoint found that:
- 84% of the organizations surveyed encountered smishing attacks.
- Only 25% of the organizations surveyed ran SMS attack simulations to train employees.
- When asked what smishing is, 49% of employees said they didn’t know, and 22% gave an incorrect answer.
- Businesses with 25 employees or less receive 11% more text-based phishing attempts than any other group.
Examples of Phishing Text Messages
Most smishing attempts involve casting a wide net by mass messaging numbers to phish for accounts most people have, such as bank accounts, Amazon accounts, and social media. It is important to know the tell-tale signs of a text scam, and look out for these common examples of SMS phishing:
Fake Bank Payments
This type of smishing attempt will pose as your bank informing you that a new payment has been set up from your account. These play on your fear of a fraudulent payment to trick you into clicking the link or providing login details.
These texts will falsely inform you that your account has been locked or suspended, often due to an unauthorized access attempt or failed payment. These texts will provide a malicious link asking for login details to recover your account.
Some smishing attempts will impersonate a government agency, often impose a fake fine, offer you a tax refund, or accuse you of tax fraud to provoke a response.
You cannot win a competition you never entered. If you get a text saying you have won some competition you don’t remember signing up for, don’t reply. These texts will ask you for personal information in order to redeem a fake prize.
There are a lot of fraudsters currently taking advantage of the COVID-19 situation. Typically, these texts will accuse you of violating lockdown rules and demand a fine to get your payment details or personal information.
7 Tips to Protect Yourself from SMS Phishing and Fraud
SMS phishing may be getting more common, but there is a lot you can do to protect yourself. Following these 7 rules will help you avoid becoming a victim of SMS phishing.
1. Don’t Assume You’re Safe
Letting your guard down makes you an ideal target for SMS phishing attempts. Most forms of SMS phishing are indiscriminate, mass messages sent to random numbers. Because of this alone, there is no reason to assume you will not receive one. Furthermore, you may also be targeted more specifically as part of an attack on your business or businesses you work with. Most businesses work with a significant amount of customer data, making even small businesses valuable targets.
As a result, you need to be aware of SMS phishing tactics. Understanding how smishing works make it much easier to spot.
2. Ensure Sender Validity
The most obvious way to spot a phishing attempt is to check if the sender is really who they say they are. Some fraudsters use a fake shortcode to display the name of a legitimate bank or government organization, so a named shortcode is not a guarantee that the sender is real.
Instead, search the number online to find out who it belongs to. It should be easy to confirm that the number belongs to a real business.
If you are not 100% certain who a text is from, do not click any links or open any attachments in the message. These could take you to a site that takes your personal information or installs malware your phone. If you get a suspicious text about an issue with your account or order, use the business’s website or app to check it out instead of following the link in their text.
4. Look Out for Bad Spelling and Grammar
To put it simply, legitimate businesses staff their customer service teams with people who can type correctly. If you receive a text full of spelling errors and poor grammar, this is often a sign of a phishing attempt. In many cases, this is done deliberately. Obvious mistakes in a phishing message help fraudsters ensure they only get responses from the most gullible targets.
5. Don’t Give Out Personal Information Via Text
Never give out any sensitive information via text. This includes your:
- Account usernames and passwords
- Bank details
- Credit card or other payment information
- Names and physical addresses
Real businesses will never ask you to provide this kind of information via text.
6. Never Reply If You Suspect Fraud
Don’t reply to phishing attempts, even if they seem like an automated message with a STOP option. Criminals are not going to follow the regulations and stop texting when you send STOP. This is included to make the text appear more convincing. A reply simply tells fraudsters that your number is actively used and can encourage further messages. It may also result in your number being shared with other fraudsters as a known active number.
7. Always Use Two-Factor Authentication
Even if a phishing attempt is successful at acquiring your information, two-factor authentication can prevent fraudsters from using it. After setting up 2FA on an account, every login attempt must be verified with a unique code sent to you via text or an authenticator app.
Data from Google suggests that two-factor authentication can foil 96% of SMS phishing attempts:
As a result, fraudsters will not be able to access your accounts without direct access to your mobile device or SMS inbox. Most text scammers are not hackers, and this is beyond their capabilities. In any case, fraudsters are looking for the easiest targets, and doing this takes much more time and effort than spam phishing attempts.
How to Report a Phishing Message
The easiest way to report an SMS phishing message is to forward the message to 7726. All mobile operators in the UK and the US use this number to report spam texts except Vodafone, which uses 87726.
You can also report SMS phishing on your Android device and block SMS spam on Apple devices:
Reporting Spam On Android
Open the conversation containing the smishing attempt. Tap More and go to Details, then Block & report spam.
Blocking Spam On iOS
Open the conversation and tap the contact at the top of the screen. Tap the name or number, then scroll down to Block this Caller.
Reporting Phishing Attempts to The Authorities
In the UK, any suspicious texts can be reported to Action Fraud.
In the US, you should submit a report using the FTC Complaints page.
SMS scams are easy to spot when you know what to look for. Because of this, it is vital to stay aware of the latest tactics used by fraudsters, and never assume you will not be a target.
Small businesses, in particular, are not only the most common target for smishing but often the least able to recover from the financial damage and loss of reputation. Make sure that everyone in your organization understands the potential threat of SMS phishing.