What is Smishing? How it Works and What Not to Do

Man stopping to check his phone

The word smishing may not sound familiar, but maybe you’ve been on the receiving end of a smishing attack or know someone who has. With smishing text messages on the rise, it’s best to get yourself acquainted with ways to identify them and what to do when you think you’ve received one.

Read about how smishing works and ways to avoid being a victim of an attack.

What is smishing?

Smishing is phishing via text. The term itself a mashup of two words:

  • phishing: the act of sending fraudulent emails to extract personal information from the recipient; and
  • SMS: short message service, otherwise known as a text message

Smishing text messages may deceptively ask recipients to provide personal data, then use the information to steal their money. Or, the sender could pose as someone you know and request money.

How does smishing work?

The Federal Trade Commission (FTC) reports that in 2018 over 93,000 complaints were made about unwanted text messages, including smishing attempts. These fraudulent messages are likely becoming more prevalent because of our relationship with texting.

More personal than email and yielding a faster response rate, the text message is now a favored platform among cybercriminals to trick us into quickly divulging sensitive information. It may be because our guard is down when it comes to texting. We’re accustomed to texting only with close contacts, and we assume that our smartphones are safer than our computers, which may keep us from being as vigilant when looking out for sketchy activity.

Another contributor to smishing’s success? It plays on our fears. Smishing messages regularly include language that demands the recipient provide something at that moment before it’s too late. We’re more likely to react if a message appears to be from that friend in Ohio asking to send money ASAP (they’ll explain later!) or from your bank urging you to confirm your account information before your account is suspended.

Smishing example: What does a smishing atttack look like?

In England, the National Health Service (NHS) had to warn the public that any text appearing to be from the organization with the following message was a scam:

“Hi, this is a message from the NHS to confirm your identity please reply with Y followed by your year of birth.”

Another smishing example: In Knoxville, Tenn., one woman received several texts from contacts who appeared to be friends letting her know that she qualified for a $50,000 federal grant – she just had to pay $500 to get it.

In Shreveport, La., scammers posed as a local pastor collecting gift cards for patients.

A smashing example

A smishing example. Image from KTBS 3 ABC.

And finally, here’s a smishing example that I recently received. The sender — pretending to be USPS — notified me of a final delivery notification. I wasn’t expecting anything from USPS, and I hadn’t received any other notifications about this delivery, so I knew it was likely a smishing attempt.


smishing example

An example of a smishing attempt.

Smishing text messages can take many forms, but generally, the message may ask you to provide some form of information either by tapping on a link or texting it back. The sender may claim to be your bank, a government agency or even a friend. And more than likely, the tone of the message will be urgent, asking for your immediate action. The sender may even threaten a consequence, such as missing a good deal or losing access to an important account.

A few other common red flags are:

  • Messages using unnatural language
  • Offers that are too good to be true
  • Messages that include embedded links without context (following a link could lead to malware being installed on your phone)
  • Messages about your security or finances that are unrelated to an ongoing conversation with your bank, or are from a bank you don’t do business with
  • The sender isn’t in your contacts list
  • Messages coming from the IRS or The Social Security Administration
  • If the message is from a phone number that looks off (it could be an email sent to a phone)

It may seem unrealistic that by providing only a few bits of information about yourself, like your birthday or last name, could leave you open to fraud, but there isn’t much a smisher needs to hack into your personal accounts. Unless you and the sender have set expectations ahead of time, be wary of any message that asks you to provide any personal identifiable information (PII).

What should I do if I suspect I have a smishing message?

First, just being aware that smishing attacks exist already sets you up for success. Despite their rise in popularity, many people don’t know they can be scammed over text, which leaves them more likely to follow a harmful link or reply with sensitive information.

If you suspect a message is a smishing attack, don’t do anything! Don’t reply and don’t follow the link. If the message claims to be from a known contact (like your bank), but it still looks fishy, call your bank to confirm the validity of the message.

Finally, delete the message. Getting it off your phone ensures you won’t accidentally engage with it.

How Zipwhip keeps your customers safe from a smishing attack

Zipwhip is dedicated to keeping smishing text messages from reaching your customers’ phones. Our full-time fraud and security team apply automted monitoring and real-time filtering to flag suspicious activity, making it possible to identify a smishing attack and block them before they have a chance to get to the recipient.

To learn more about Zipwhip security, read about our security and compliance features.

Share on facebook
Share on linkedin
Share on twitter
Share on email

Start texting today with a free trial of Zipwhip