Smishing isn’t exactly new, but it’s rather a more recent twist on an old scam. Smishing is the text-message version of a phishing scam. With the nearly universal use of smartphones, smishing has become an increasingly popular form of cyberattack. For businesses, smishing can cause company-wide leaks, data corruption, the introduction of spyware, etc. Read on to find out more about smishing scams and how you can stop them.
What is Smishing?
The term “smishing” is a contraction of “SMS” (as in text messaging) and “phishing.” A typical smishing scam will arrive on the phone as an SMS text message that claims to be from a bank, credit card company, or some other type of business that you are likely to trust. The message will ask you to respond with some information. “Your bank account has been compromised. Please enter your account number and password to receive important information about your account.” Or the text message may include a link to an allegedly secure website where you can “safely” enter your information. Smishers have different aims, but in most cases, they’re trying to obtain information about your accounts, which is why they usually prompt you to input your personal information, like account numbers, user names, passwords, PINs, or the answer to commonly-asked security questions. Additionally, a smishing scam can infect your phone with spyware that allows third parties to track your movements, searches, purchasing habits, etc. Some programs can also deliver info into the hands of the smisher, including accounts, photos, email, and passwords stored in your phone.
Smishing vs. Phishing
Phishing typically refers to scam messages that solicit data by sending you an email that appears to be from a trusted source. Phishers often develop official-looking letters explaining why they’re requesting the information and will go to great lengths to match the letterhead, font, and style of the organizations they’re trying to mimic. Smishing works similarly, but instead of the scam messages being sent via email, they go out through SMS text messages. There are programs and apps that can enable both bulk emails and bulk texts. For a cybercriminal, they don’t require all of their solicitations to work; they can profit from only a small amount of successful attempts.
How to Avoid Smishing
In order to circumvent falling victim to a smishing scam, you should avoid the following:
Don’t Respond to Texts From Suspicious Phone Numbers
Most companies that use text-message marketing will contact you from a U.S. or local phone number. In many cases, your smartphone will actually generate the name of the business in the preview. If you’re a U.S. resident, and the message doesn’t come from a U.S. phone number, it may be a smishing scam.
Don’t Respond to Requests for Personal Information
Most banks and financial institutions have reminders on their emails and text messages that they will never ask you to input your account information or passwords. Even if they don’t post this kind of disclaimer, you shouldn’t input your information. If you believe that it’s a legitimate request for information, open a fresh browser, locate the vendor’s site, and contact the vendor to verify that the request is coming from them.
Don’t Respond to Unsolicited Surveys or Winnings
Common smishing scams include answering a survey or claiming a prize. If you receive a survey that’s not connected to a recent purchase or activity, it may very likely be smishing. The same goes for messages about prizes that you’ve won. One popular smishing scam tells you to complete a survey to win a $100 gift card from Home Depot, Lowes, Walmart, etc. Avoid responding to these text messages.
Change Your Passwords Routinely
Changing your passwords every month is annoying, but cybercriminals rely on your neglect to access your accounts. In a 1989 Harris poll in coordination with Google, 13% of respondents stated that they use their passwords across all accounts, and 52% use the same password across multiple accounts. Once a password has been compromised in one account, you should assume that it's been compromised everywhere. Change all of your passwords routinely, and any time there’s been a security leak.
What to Do if You Receive a Smishing Message
If you don’t respond to a smishing message, the chances of a cybercriminal hacking your accounts are substantially reduced. If you’re aware of a scam, block the number. If you have provided information to a smisher, follow these protocols:
Reset your phone to factory settings and restore it from a backup.
Change the password of whichever account was compromised. Also, change the passwords for any accounts that use that password or a similar variation of it.
Check all of your bank and credit statements for suspicious activity.
Report the fraud on the FTC fraud website.
Frequently Asked Questions About Smishing
The cybersecurity experts at Flagler Technologies are constantly finding new ways to combat cybersecurity. Here are some of the most common questions we hear from clients and employees regarding smishing scams and fraudulent text messages.
What Do Cybercriminals Gain By Smishing?
Most smishing scams are designed to get usernames and passwords for individual accounts. The user fills out this information, and the cybercriminal has access until they’re detected. Oftentimes, however, they are introducing spyware into the targeted phone, allowing them to access some or all of the information on the device.
Can My Company Be Vulnerable to Smishing?
There are a few ways that smishers can easily gain access to your company data. If your employee downloads spyware onto an integrated device, like a company phone or tablet, it can infect your servers with malware. Additionally, employees often use the same password for personal and business accounts. If the smishers figure out their work password from a similar usage in a personal account, they can gain access to your company’s system.
If you’re concerned about smishing or phishing scams at your business, contact Flagler Technologies to discuss your security needs.