窪蹋勛圖厙

Smishing

Smishing is a form of social engineering that exploits SMS, or text, messages. Attackers send text messages claiming to come from legitimate services. These fake text messages can contain links to dangerous webpages, email addresses, or phone numbers.

Just like in email phishing attacks, cyber criminals often play on your emotions to get you to act by creating a sense of urgency or curiosity. They do this by saying you have won a prize, or that you have to immediately respond to or else something "bad" happens. This is all an attempt to convince you to provide sensitive information quickly, without realizing it is a scam.

(Click to enlarge)
Smishing Poster

Spotting and Stopping Messaging Attacks

Here are some questions to ask yourself to spot the most common smishing attacks:

  1. Does the message create a sense of urgency, attempting to pressure you into taking action?
  2. Is the message taking you to websites that ask for sensitive information, such as a password or your financial details?
  3. Does the message sound too good to be true? Think of the iPhone reward example.
  4. Does the linked website or service force you to pay using non-standard methods such as Bitcoin, gift cards, or Western Union transfers?
  5. Does the message ask you for the multi-factor authentication code that was sent to your phone or generated by your banking app?
  6. Does the message look like the equivalent of a wrong number? If so, do not respond to it or attempt to contact the sender; just delete it.

Remember:

If you get a message from an official organization that alarms you, call the organization back directly. Dont use the phone number included in the message, use a trusted phone number instead. Such a number could be found on official documents from that company, or on their website's contact page.

Also remember that most government agencies, such as tax or law enforcement agencies, will never contact you via text message; they will only contact you by physical mail.

How Can I Report a Smishing Attempt?

There are many ways to report smishing attempts, though they depend on which device, app, and service provider you are using. Please visit our Report Phishing page for more information.