What is “Smishing” — and How To Prevent It

Key Takeaways

• The primary defense against smishing attacks is to refrain from responding to suspicious messages.
• Approach urgent messages, especially those related to account updates or limited-time offers, with caution.
• When in doubt about the legitimacy of a message, directly contact the relevant institution or service provider using official contact information.

Smishing, a portmanteau of "SMS" (Short Message Service) and "phishing," refers to a deceptive cyber-attack method that involves the use of text messages to trick individuals into divulging sensitive information or taking harmful actions. Much like traditional phishing attempts conducted through email, smishing exploits the trust of recipients by presenting seemingly legitimate messages. These messages often contain urgent or enticing content, such as fake account alerts, limited-time offers, or urgent requests for personal information. The goal is to manipulate recipients into clicking on malicious links, providing confidential details, or unknowingly downloading malware onto their devices. Smishing attacks thrive on exploiting human curiosity, anxiety, or urgency, emphasizing the importance of user vigilance and caution when interacting with unexpected or suspicious text messages.

The good news is that the potential ramifications of these attacks are easy to protect against. You can keep yourself safe by doing nothing at all. In essence, the attacks can only do damage if you take the bait.

That said, be mindful that text messaging is a legitimate means for many retailers and institutions to reach you. Not all messages should be ignored, but you should act safely regardless.

There are a few things to keep in mind that will help you protect yourself against these attacks.

• Do not respond. Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety over the situation at hand, but you can refuse to engage.
• Slow down if a message is urgent. You should approach urgent account updates and limited time offers as caution signs of possible smishing. Remain skeptical and proceed carefully.
• Call your bank or merchant directly if doubtful. Legitimate institutions don’t request account updates or login info via text. Furthermore, any urgent notices can be verified directly on your online accounts or via an official phone helpline.
• Avoid using any links or contact info in the message. Avoid using links or contact info in messages that make you uncomfortable. Go directly to official contact channels when you can.
• Check the phone number. Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their true phone number.
• Opt to never keep credit card numbers on your phone. The best way to keep financial information from being stolen from a digital wallet is to never put it there.
• Use multi-factor authentication (MFA). An exposed password may still be useless to a smishing attacker if the account being breached requires a second “key” for verification. MFA’s most common variant is two-factor authentication (2FA), which often uses a text message verification code. Stronger variants include using a dedicated app for verification (like Google Authenticator) are available.
• Never provide a password or account recovery code via text. Both passwords and text message two-factor authentication (2FA) recovery codes can compromise your account in the wrong hands. Never give this information to anyone, and only use it on official sites.
• Download an anti-malware app. Anti-malware apps can protect against malicious apps, as well as SMS phishing links themselves.
• Report all SMS phishing attempts to designated authorities.