Here’s a riddle: What happens up to 2 billion times a day in the US and causes victims immense financial losses? Smishing attacks.
An ongoing study managed by Robokiller shows that Americans received 2.3 billion scam texts per day in December of 2022. The scams are working too. According to Robokiller’s most recent mid-year study, Americans lost an estimated $9.7B to smishing attacks in the first six months of 2022 alone.
As scam calls dwindle due to Americans rapidly transitioning to digital communication methods, scammers have proven they’re more than willing to adapt to the times as well, targeting digital communication methods at an eye-watering rate.
What is a Smishing Scam?
Smishing, sometimes stylized as SMiShing, is the name given to a phishing attack that uses SMS (short message service) as the delivery method. These are more widely known as scam texts or spam texts.
Most smishing attacks pose as a trusted entity—think banks, major retailers, utility providers, charities, etc. Usually disguising the attack as an automated message, the scammer will include a made-up notification about an overdue payment, unauthorized login attempt, suspicious account activity, and everyone’s favorite: a $5000 CASH PRIZE YOU MUST CLAIM IN THE NEXT 30 MINUTES.
One way or another, most attacks will try and trick you into clicking a link or calling a number in hopes that you’ll unsuspectingly hand over banking info, account credentials, or some other valuable piece of personal information.
Why Do I Get Spam Texts?
Just like an email address, your phone number can be leaked online from any number of sources. To make matters worse, your phone number is much easier for attackers to simply guess. In contrast to an email address, which can vary in length and character composition, a US phone number is just 10 digits making it much easier for you to be caught up in a random attack.
So, did you enter your number into a sketchy site that sold or leaked the info? It’s possible, but there are far too many ways for scammers to obtain your phone number to be certain. Rest assured, (or not so assured) almost everyone with a phone number has been the recipient of these messages at one point or another.
As these attacks get more and more convincing, it pays to know how to recognize them. Below are some examples that will help you identify a smishing attempt, as well as how to handle them.
Smishing Examples and How to Identify Them
Example 1: Smishing Message from a Google Number
This seemingly innocuous wrong-number text has the potential to develop into any number of attack vectors. Never engage with unknown numbers that offer no context, especially if you notice poor spelling, formatting, or grammar in use.
Looking up the phone number shows us we were right to be cautious. This threat actor was using a Google Voice number to perform attacks.
Example 2: Generic Credit Card Charge
This text came from another VoIP or voice over IP number that is easily created for this purpose.
The lack of specificity in this example combined with the claim of an account being shut down is designed to trigger an emotional response. The attacker is hoping the target lets their guard down and follows the link without considering possible ramifications.
Further investigation of the phone number once again confirms that a VoIP service is in use here as well.
Example 3: Amazon Account Lock
This attack is intended to elicit a response by posing as an automated message from a trusted, and widely used service. Not to mention one that most folks don’t want to see shut down. Note the grammar mistakes and failure to capitalize ‘Amazon’ here as well.
This attack differs from the initial examples because it’s making use of a proxy service that sends the message from an email address instead of another phone number. The domain the email is coming from is clearly a malicious domain with no connection to Amazon.
Example 4: Netflix Account Lock
Here we have another variation on a notification regarding supposed issues with an account. This attack is also using a proxy service and has originated from another malicious domain.
The domain here is a little less obvious than in the prior example, but if you find yourself in any doubt whatsoever, it’ll always be safer to navigate to the service directly. In this case, you’d want to head straight to the Netflix app or website rather than following the provided link so that you can verify whether there is an issue with your account or not.
What to Do if You Get Spam Texts
First of all, don’t click on anything. Even if you’re curious about where the link leads or want to investigate whether the destination appears to be a hoax, it’s always safer to avoid following any links sent to you by an unknown number.
Additionally, do not respond to the text. This includes responding with the word ‘STOP’—which some messages instruct you to do to remove your number from their contact list.
Making use of your phone’s block feature is always your safest bet. Here’s how to do so on Apple and Android devices.
How Do I Report Spam Texts?
If you want to take things a step further and help the cause a little, you can forward the text to 7726 (SPAM) before blocking the number. This will alert your cell carrier and help them prevent future smishing attempts. You can also report fraud to the FTC.
Smishing Protection
Proactive steps are always being taken by companies like Apple, Samsung, and Google to keep users as safe as possible with spam filters and other software developments. That said, there are additional measures that users can take to further reduce the volume of smishing texts they receive.
If you’re using an Android device, be sure that spam protection is switched on.
On an Apple device, you can elect to block unknown numbers entirely. While you do run the risk of missing a text from someone whose number you don’t have saved, this will seal off all spam messages into a separate inbox. The secondary inbox can be accessed by going to Filters > Unknown Senders.
In addition to these measures, or if you don’t want to run the risk of missing texts on an iOS device, there are some third-party options available.
The Cellular Telecommunications Industry Association (CTIA) has a verified list of apps available for both iOS and Android devices which will help limit spam. While these apps are geared toward robocalls, many of them have features to help address smishing texts as well!
Closing Thoughts
Smishing attempts have evolved and grown at an unprecedented rate. They can often be extremely convincing.
For this reason, it’s important to know how to identify, prevent, and handle these messages when you come across them. This knowledge and awareness will minimize any risk of falling prey to a smishing attack and minimize the number you receive as well.
As a reminder:
- Be cautious of messages from unknown numbers containing spelling, formatting, or grammar mistakes.
- Never click on a link in a spam text.
- Don’t respond to unsolicited texts. Not even with ‘STOP’.
- You can report smishing attempts by forwarding the message to 7726.
- Enable device-level protections
- Enable spam protection on Android.
- Consider blocking all texts from unknown members on iOS devices.
- Consider available third-party apps for robocalls & texts. (Apple, Android)
If you’re in need of any further resources or guidance regarding smishing attacks, don’t hesitate to reach out. We’re always happy to help in any way we can.