What is SMShing?

Smishing is a term derived from phishing and SMS (short message service, or text messages). Phishing is a way that scammers try to get people to release sensitive information. They may use this information for identity theft, or to commit other fraudulent activities. Although phishing typically occurs online, or during a phone call, it has increasingly occurred via SMS. As more people handle their business and log into accounts on mobile devices, scammers have adapted new ways of attaining sensitive information. Phishing text messages may come to a cell phone in the following formats:

  • A text message “from the bank” warning a user that his account has been deactivated, with a number he can call to reactivate it.
  • A text message informing a person of a service she’s been registered for and must take an action, such as visiting a website, to avoid charges.
  • Confirmation of a purchase suggesting that the user call a number if the confirmation is inaccurate.

(eInvestigator, 2017)

Smishing has evolved with the popularity of Apple technology. As a result, Apple id smishing has become a target for some scammers. Messages are often spammed out to iPhone and iPad users, with a link to a fake Apple webpage. The following are examples of fraudulent Apple id messages:

  • “Your Apple id has been locked due to unauthorized log-in attempts. Please log in here (phishing website link provided) and verify your information.”
  • “Your Apple id will expire today. Prevent this by logging in at (link to phishing website).”
  • “As a security measure, your account has been temporarily frozen until you confirm that you are the owner.”

(Cluley, 2016)

The examples provided are just a few, and there are many variations in the attempts to steal sensitive information and credentials from a user’s cell phone. Smishers put much effort into making convincing messages. For example, some will even include an option to unsubscribe from future alerts.

SMS Spoofing

SMS spoofing is used by scammers to disguised their phone numbers and impersonate others: another person, a company, or a product. By using this technology, they can set who the messages appear to be coming from in the caller id. The real phone number that sent the message is replaced by alphanumeric text.

Protect Yourself from Smishing

Smishing attempts aim to steal identity and money. They often use fear tactics as a way to get user’s to act quickly, without giving it too much thought. There are several ways scammers try to lure people into the trap. User’s can protect themselves by looking out for text messages that try to invoke fears such as these:

  • Fear of someone stealing money.
  • Fear of being accused of a crime
  • Fear of harm to an individual or his family
  • Fear of something embarrassing being revealed about a person, whether true or not

(O’Donnell 2016)

Learning to spot these fraudulent text messages is helpful, but there are other ways people can protect themselves. If the text message seems to be coming from a legitimate source, conduct a number lookup to find the company’s phone number. Then call that number for verification instead of the number provided in the text. Most legitimate businesses such as banks usually do not send text messages that require a reply. Here are more tips for protection against Smishing:

  • Do not open text messages from unknown sources. Delete them.
  • Avoid clicking links or downloading software from unverified sources.
  • Do not provide sensitive information to unverified sources.
  • Get anti-virus protection for cell phones.
  • Use a text alias to hide cell phone numbers from smishers.
  • Avoid text messages that appear to come from the number 5000. SMS spoofing is likely used to hide the true phone number.
  • Contact the phone company and inform them of the fraudulent texts.

(eInvestigator, 2017)