Among the many threats to your internet security is “smishing,” in which bad actors try to steal your data or money through a text message that attempts to trick you into following a link you shouldn't or revealing personal details or login information that should be kept private.
The attack takes its name from phishing emails that “fish” for a response that leaves you vulnerable to various threats, but here the dangerous message arrives via SMS, direct to your phone, which might make you more likely to fall for the scam.
The damaging effects of smishing attacks can be serious and varied, whether they involve someone gaining access to your bank accounts or taking over your social media accounts. But if you know the warning signs to look out for and the preventative steps to take, you can avoid getting caught out.
How Smishing Works
Smishing attempts traditionally arrive via SMS text message, though they can pop up on any messaging platform, from WhatsApp to Instagram. They'll often come with a link attached that you're supposed to click on, or they might ask for a direct response, but you'll need to take some action to be affected by the attack (just receiving the message won't cause any damage).
The first kind of attack you'll come across is a link to a shady website, possibly one that's mocked up to look like a well-known company website or social media network. You'll be prompted to enter your username and password details, but rather than logging you in to the site in question, whoever set up the fake site will take these details and use them for nefarious purposes.
The second kind of attack will push you to download a dangerous app or run it in your web browser. The good news is that your phone will block a lot of malware apps automatically—it's particularly difficult to install a non-approved app on iPhones—but this is still something to look out for when messages come in.
In the third version, you might get messages asking for personal or financial details directly—with prompts to reply to a text with your bank details, for example, or with login details for a certain website. As with the redirects to fraudulent websites, these details will go straight to the people behind the smishing attempt, who will most likely use them to try to steal money or information.
The Warning Signs
While we can't offer a foolproof guide to spotting every single smishing attack you might come across, there are some red flags to look out for. One is messages coming from numbers that don't seem correctly formatted or that contain unusual characters—these might be genuine messages from businesses or automated services, but they might also be smishing attempts, so proceed carefully.
It's actually rare that any person or company will need to send you a message with a link embedded in it, so you can view such messages with suspicion. It's rarer still that these messages will appear out of nowhere—if they are authentic, they'll usually show up as you're trying to verify an account or making an inquiry or having an active conversation with someone.
Another sign that gives away a lot of smishing messages is their sense of urgency. Many of them will ask you to act fast and impose some kind of time limit on a response so you are less likely to think about what you're doing. They might also try to entice you to follow a link by talking about something shocking or controversial that needs immediate attention (pretending that videos of you have leaked online, for instance).
They might dangle a reward for responding (“win a gift card”), or the message might masquerade as a warning (“your account has been suspended”). The bottom line is that smishers want you to take action.
Keep Your Devices Protected
The security advice for guarding against smishing isn't much different from the advice for protecting your devices against any other kind of threat. Keeping your phone's software and web browser up to date is important and should ensure a lot of smishing attacks get blocked by the security features built into Android, iOS, Chrome, and Safari.
As with phishing attacks, if you're in any doubt about the legitimacy of a message, get in touch with the supposed sender directly. If you receive a text purporting to come from your bank, for example, contact the bank through official channels, rather than following the link that came through on the text. You should be able to quickly establish whether the message was genuine.
Another piece of advice is to not to rush into replying to a message or following a link. We're all used to operating our smartphones at top speed, sometimes without paying complete attention to what we're doing, which can lead to overlooking security threats. As we've said, a lot of smishing messages will encourage a speedy response—don't take the bait.
For the majority of smishing attacks, some quick and basic web research should tell you whether they're genuine. You'll be able to find out if your bank is texting you or your streaming account has been locked or a particular retailer is giving out gift cards. You can also try copying the text of your message into the search engine of your choice: If you've gotten a suspicious SMS, chances are other people have received it too, and you may find cautionary messages online.