Recently, several state and federal agencies, including the Federal Trade Commission (FTC) and the Internal Revenue Service, have warned against the rise of smishing, the SMS version of phishing.
Phishing is a cyber-attack that aims to trick people into divulging personal information. It happens via email. Now, some experts say, cyber-criminals have also been able to access phone numbers.
In January, the FTC flagged a smishing scam: a message that appears to be from a state road toll company that informs recipients about an outstanding balance.
“The scammy text might show a dollar amount for how much you supposedly owe and include a link that takes you to a page to enter your bank or credit card info,” the FTC warned. “Not only is the scammer trying to steal your money, but if you click the link, they could get your personal info (like your driver’s license number)—and even steal your identity.”
Smishing can be particularly convincing, posing as a FedEx carrier, bank, or other known entity. Since the scam happens via text, people may be particularly vulnerable to them. “Text messages are more intimate, and you check them more quickly than emails, so people start falling for those scams,” says Murat Kantarcioglu, a professor of computer science at Virginia Tech.
State transportation departments—including West Virginia and New Hampshire, and E-Z Pass itself issued warnings regarding such messages.
Here’s how to protect yourself against smishing.
Why does smishing happen?
Smishing happens when cybercriminals are looking to access private information about a person—whether it be their bank account password or birthday—to hack things such as their phone or credit card account.
If you receive a suspicious message, cybercriminals already have some type of information about you, usually obtained through a third-party marketing company. “Whenever you give your phone number to a company or organization, those phone numbers are sometimes sold [to others],” warns Kantarcioglu. “The other big area [of concern] is that there was lots of hacking over the years, and most people, social security numbers, phone numbers, addresses, etc, have also [been] leaked and stolen.”
Smishing may also happen on some social media apps, including Signal and Whatsapp.
What to do if you receive a smishing scam
Steer clear of any messages that appear to be suspicious. The FTC advises people to not click any links, or respond to any messages sent to them by an unknown sender. “The link that they sent may be vulnerable so that your phone may be hacked automatically. In some cases… it may get you to a site where they may want to get more information from,” warns Kantarcioglu.
Instead of directly responding to a message that poses as a bank or toll company, users should login to their personal accounts on their own, or directly get in contact with such companies right away. When signing in, it’s also important to ensure you have clicked on a secure site. “I’ve seen some scammers [create] ads for fake variants of the website, like a fake toll company website,” says Kantarcioglu. “You have to find the correct website for the organization.”
Many phones allow users to directly delete and report the message as junk. The FTC says that people can also forward such messages to 7226 (SPAM). Kantarcioglu adds that people should make sure they block the numbers or accounts they get these types of messages from. Smishing can also be reported to the IC3 internet crime complaint center at www.ic3.gov.
It may also be important to inform less tech-savvy loved ones about these types of scams. “I think everyone should make it their mission to educate the older people in their family about these issues,” says Kantarcioglu. “I’m trying to educate them, never answer the text messages or phone calls, for that matter, from anyone that’s that you don’t know.”
