What is smishing?

A scam text message on a smartphone display
(Image credit: Shutterstock)

We’re all too familiar with phishing. Fraudulent emails purporting to be from a trusted source, and tricking the victim into revealing sensitive information, are rampant.

Banks and financial services, third-party vendors, and streaming services are among the popular targets for impersonation. By and large, phishing scams rely on social engineering and clever personalization to lure victims into transferring money to a fraudulent account or providing personally identifiable information (PII).

The year 2020 saw 6.95 million new phishing attempts. Not surprisingly, COVID-19 scams were common, as were gift cards and gaming hacks. There’s a lesser know variant of phishing, however, that’s equally perilous. SMS phishing, or smishing, employs text messages sent over mobile phones as bait. There’s often an air of urgency in these messages, which entices recipients to click on malicious links.

How common are smishing attacks?

Reports of smishing in the UK rose nearly 700% in the first half of 2021, according to a study by enterprise security provider Proofpoint. Additionally, parcel and package delivery scams made up 67.4% of all smishing attempts.

Other prevalent smishing scams include:

  1. Urgent notifications regarding credit card payment
  2. Act-now coupons with special discounts
  3. Request for survey/feedback from customer support
  4. Unusual account activity alerts
  5. Unknown service charges
  6. Flash sales and giveaways
  7. Instant student loans

Over 9,000 reports have been filed to Which?’s Scam Sharer tool since it launched in March 2021. Most reports (65%) involved phone calls or text messages, with 31% of these scams originating as text messages.

Why are smishing rates so high?

The average SMS open rate is 98% compared to just 20% for emails, according to Gartner. Additionally, SMS marketing helps businesses offer 24/7 support to customers, boosting engagement. Given the high response rate, it’s less of a surprise why cyber criminals emulate brands.

That said, smishing attacks are particularly hard to tame for one particular reason: lack of authentication. Unlike emails, SMS messages cannot be blocked or flagged without third-party software. Unhindered by the law, perpetrators can automate SMS messages to millions of ten-digit phone number combinations.

For instance, Edward Smith, a UK customer of Santander bank, was conned out of £22,700 after providing a spoofed bank phone number with his one-time password in 2016.

Santander released a statement stating, “Whilst we are very sympathetic to Mr Smith's situation and the distress caused by being the victim of a scam, Mr Smith disclosed a OTP to validate and authorise the transfer, a security measure we put in place to protect customers against fraud. He also confirmed the payment as genuine when we called to check. Therefore we cannot accept any responsibility for the losses on this account.”

A subsequent investigation revealed there were at least ten other Santander SMS fraud cases under investigation, with one victim reportedly losing £40,000.

How to spot and stop smishing scams?

Social engineering and trickery make smishing scams extremely potent and persuasive. Listed below are a few tips to prevent smishing:

1. Do not click on links sent via text message

Expect the unexpected. Malware can also spread through secure messaging apps like WhatsApp and Signal. Hacking groups, including Dark Caracal, have successfully employed WhatsApp, Signal, and Messenger to distribute phishing links that trick users into installing phoney updates to their encrypted messaging applications. Updates typically include malware files that allow hackers to view user screens, record keystrokes, and even take control of devices remotely.

2. Look for misspelled words


Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security


Smishing attacks are often characterized by poorly crafted sentences, improper grammar, and misspelled words. Be sure to check for these tell-tale signs when you suspect smishing. Spam messages may also contain links that differ ever so slightly from the site's original URL. Navigate to the website manually instead of clicking on the link to avoid being scammed.

3. Verify the number before initiating contact

Smishing messages typically come from random or strangely formatted numbers. For example, the number 5000 indicates the message was sent via email and may be malicious. Calling the concerned organization and asking for confirmation is the most reliable way to determine whether the number/message is legitimate. In the event that the number is fraudulent, delete the message to prevent any risks.

4. Limit the size of your digital footprint

Publicly available information can help criminals improve the credibility of their phishing messages. A good case in point is social media accounts. Review your privacy settings to ensure hackers cannot retrieve personally identifiable information, including your mobile number.

Already responded? Here are your options

Timely action can prevent harm. Here are some steps to take if you've already replied to a suspicious message:

  1. Contact your bank if you have been tricked into disclosing your financial information. Block or freeze your account to prevent further transactions.
  2. Notify your IT department if you used your work phone to respond. Log out of all other connected devices and reset your password.
  3. Run a full scan with antivirus software if you clicked on a suspicious link to install or update an application.

Report to curb the spread

It's still worthwhile to report your suspicion, even if it's only a hunch. Luckily, it only takes a few steps to report spam.

Do not open or reply to suspicious emails. Instead, forward them to phishing-repot@us-cert.gov, an inbox established by the US Cybersecurity & Infrastructure Security Agency (US-CERT) in collaboration with the Anti-Phishing Working Group (APWG). You can also forward report cases of identity theft through identitytheft.gov. UK readers can forward possible phishing attempts through the Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk.

Additionally, you can report suspicious text messages to universal short-code 7726 at no charge. The service will help your phone provider track down the source of the text and take appropriate measures.

“Smishing attempts have risen dramatically – with fraudsters taking advantage of the pandemic to trick consumers into giving away personal details and transferring their hard-earned cash,” says Rocio Concha, director of policy and advocacy at Which?.

The firm also released a ten-point SMS guide, encouraging businesses “to do their part to protect consumers from scams”. The guide offers advice on how businesses can differentiate their texts from those sent by scammers impersonating them, to protect consumers from fraud.