What You Need To Know About "Smishing"

We all know what phishing is, right? That internet-based scam that tries to get you to click on malicious links or surrender personal information through email messages that range from sophisticated to typo-ridden? Well, there’s a variation on that theme making the rounds, and you might not be able to spot it as easily. Smishing is a text message scam that targets victims not through email, as phishing does, but through SMS — regular ol’ text messages sent to your phone. Here’s what you need to know about how to spot it — and how to avoid falling prey to it.

Digital security company Norton (as in, Norton Antivirus, which has probably come pre-installed on every computer you’ve ever owned since 1991) notes on its blog that smishing is particular nefarious because it capitalizes on the fact that most people are attuned to phishing these days. “Most people are aware of the security risks involved with clicking on links in emails,” writes Norton. “This is less true when it comes to text messages.” Stephen Cobb, a security researcher for ESET, agrees; he recently told USA Today, “Criminals like smishing because users tend to trust text messages, as opposed to email, of which many people are more suspicious, due to phishing attacks.”

It’s also worth noting that the advent of the smartphone — which is rapidly becoming the main way that many people get online — has likely contributed to the proliferation of smishing, as well. “As smartphones are the primary means of accessing the internet in some countries, this has tempted criminals around the world to invest in scams that target these devices,” Cobb said. “That means there is no shortage of skills in this space, skills that criminals can tap to target cellphone users in any country they chose.”

For what it’s worth, smishing isn’t new; it’s been around for at least several years, as evinced by this video by CNET, which was posted to YouTube in 2012. “Smishing is phishing using SMS to do a call to action,” explained Sourcefire security architect Adam O’Donnell in the video — with the call-to-action bit being the thing to pay attention to: As is the case with phishing, a smishing message aims to get targets to do something, like give up valuable information or click a link. A smishing attempt might look like this:

Or like this:

Clicking on the kinds of links seen in these examples might do things like install a keylogger on your phone (which hackers can then use to get your passwords) or lead to websites that steal your personal data.

However, smishing messages can also be much harder to spot. A current scam allegedly making its way around the UK, for example, involves a message that appears to come from the National Health Service (NHS), the public health service of England, Scotland, and Wales. The smishing text reads, “Hi, this is a message from the NHS to confirm your identity. Please reply with Y followed by your year of birth.” However, according to the Coventry Telegraph, the NHS has said that it does not collect information in this way. This scam aims to gather the target’s date of birth, which can then be used for all kinds of fraudulent activity.

The UK actually seems to be dealing with a lot of smishing scams at the moment, although as Stephen Cobb noted, the phenomenon certainly isn’t limited in terms of its geographic scope. Scammers posing as the bank Santander have been texting people with messages claiming that their accounts have been blocked and instructing them to click on a link to “reactivate” them. Santander is actively fighting this threat; after one target, Debby Thompson, made the news in March of 2017 for reporting the scam, a spokesperson for Santander told the Bristol Post, “Debby received a text message from a third party purporting to be Santander, a scam known as smishing. The customer did the correct thing in contacting Santander before taking any further action.” According to the Bristol Post, the bank has requested that customers who receive messages that look like they might be smishing scams forward them to smishing AT santander DOT co DOT uk.

McAfee (the company that makes the other antivirus program that’s probably come installed on every computer you’ve had since the early ‘90s if it didn’t come with Norton) has a couple of common sense tips for protecting yourself against smishing — don’t click on links in texts, especially if they’re from people you don’t know; don’t respond to text messages asking you for personal information; etc. — but honestly, what it all ultimately comes down to is learning how to spot them. Get familiar with the kinds of formats these messages tend to take, and if you get a weird-looking text from, say, something that looks like your bank, give your bank a call to confirm whether or not the text actually came from them before you do anything else.

Safety first!