Smishing attacks, the text-based (SMS) form of phishing, have become a big problem. In fact, in 2021 they were a problem to the tune of $44 billion in losses, just in the US. And according to the FBI, it’s only getting worse. CNET reported data from the cyber security firm Proofpoint that smishing attempts increased 24% in the U.S. alone and 69% globally over the last year. Consumers now average 19.5 spam texts per month, which is double the rate of three years ago. Why this sharp rise?  According to the CEO of another security firm, WMC Global, 97% of Americans use a smartphone, and over a quarter of younger Americans rely on them for their online access. And the global pandemic that sent everyone to their homes over the past 2 years resulted in more people using their phones for both work and personal communication. So, there are plenty of proverbial fish in the sea, just waiting to take the bait.

Common smishing scams

Here are the smishing scam attempts reported the most:

• A spoofed text from a legitimate company saying there is a billing issue
• An unprompted text telling you to “Reset Your Password”
• A random text message with attachment claiming you have money from your latest tax return
• Account cancelation notifications pending the confirmation of your personal details
• Fake forms, surveys, and invoices to encourage you to list valuable information
• Free giveaways and coupons for expensive goods and services
• An unexpected text from someone higher up in your organization requesting you purchase gift cards or wire money to another organization

What are the signs?

There are a few things you can look for in these messages:

• As with phishing attempts via email, attempted smishing attacks often come with grammatical and spelling errors
• Requests for personal information from banks or the government. (They would never ask you to text them sensitive information over an unsecured channel!)
• You are asked to click a link to complete a transaction. DO NOT click that link! Most likely it will download malware to your phone. Go to the company’s website separately to see if there is any legitimate issue or pending request with your account.
• The request or message is unexpected. UPS is telling you they want to deliver your package and need more information, yet you weren’t expecting a delivery.
• You don’t recognize the number, even though the sender is supposedly in your contact list. Out of the blue, the CEO of your organization is asking you to pick up gift cards. The problem is, your CEO is in your phone contacts, and this is not the number you have assigned to him/her. Contact the supposed party through other means, to find out if the request is legitimate.

And they’re getting more sophisticated

A favorite tactic used by the savvier cybercriminal is to use an organization’s website to research the names and positions of company employees. They then send a text message while pretending to be a fellow employee (or supervisor), knowing that the familiarity may lower the recipient’s suspicion level. Another popular scheme involves using a domain name that at first glance looks legitimate. Smishers know that mobile browsers often don’t display the full URL of a link, so they’ll create one that has just enough of the primary domain name in it to trick their victims into thinking that the link can be trusted.

Do not respond!

Not clicking on links in unfamiliar or unexpected text messages sounds easy enough. However, cyber criminals are trying to elicit either one of two types of responses: click a link or respond in some other way to the number sending the message. While you may feel empowered by avoiding any suspicious links, you’ll also need to fight the desire to call or text back telling the scammers to stop. Even if the text message says “text ‘stop’ to stop receiving messages,” don’t do it.  Replying may actually result in even more messages getting sent to your phone. This is because often the sender doesn’t know if the numbers they’re sending to are actually active. If you provide them with a response, well…now they DO know. If your phone allows it, just block their number. (If it doesn’t, you can download a call blocking app that will do it for you.)

Trust your gut

When it comes to all things security – whether we’re talking about your own personal security as you walk down a dark street at night, or cyber security – the pros tell us that our initial gut instinct is usually right. If something feels off, then it probably is. If something sounds too good to be true, once again…it probably is. And while it is sad that it’s come to this, being suspicious of pretty much every correspondence that crosses your electronic path (email, text or voicemail) is going to give you your greatest chance of avoiding a smishing attack.