In this article:
Smishing is an identity theft method that uses texts to impersonate a trusted sender and steal a victim's information. Smishing—a type of phishing—is a growing threat to consumers, with more than 11 billion spam texts sent in March 2022 alone, according to anti-spam app Robokiller. In 2021, 87.8 billion smishing attacks resulted in $10 billion in estimated consumer losses—a 58% year-over-year increase in spam texts.
Scammers typically send out large text blasts to cast a wide net for potential victims, so it's crucial to know what smishing looks like to avoid being deceived. Here's what you need to know about smishing, how to protect yourself and what to do if you become a victim of fraud.
How Smishing Attacks Happen
Smishing is when fraudsters use text messaging to impersonate a trusted organization and steal your identifying information, such as your Social Security number, account usernames and passwords, bank account information or credit card numbers.
Smishing texts often also include malicious links the victim is encouraged to open. When the victim clicks the link, malware may be downloaded to their device or they may be directed to a login or billing screen. The scammer can then capture the victim's login credentials, financial information or personal data, which can ultimately be used for identity theft.
Smishing attacks are used with a variety of scams, but the ultimate goal remains the same: to steal your information. Like other types of phishing, these scams rely on creating excitement, urgency or fear to get victims to act quickly. They might promise prizes or warn of financial or legal trouble to coerce you to act, or they might attempt to confuse you by sending fake invoices for products you never ordered.
The most common type of smishing in 2021 was delivery scams, where the fraudster would impersonate Amazon, USPS or FedEx and lure victims with a seemingly legitimate link to track a package. COVID-19 scams, in which fraudsters offer tests in exchange for personal information, were the second most common smishing attack.
How to Protect Yourself From Smishing Attacks
Criminals carrying out smishing attacks attempt to deceive victims into freely giving up information or clicking on a malicious link. Receiving a sketchy text won't, on its own, infect your device with malware or leak your data, so an effective way to avoid being victimized is by simply not engaging with scammers.
Here are some key tips for avoiding smishing attacks:
- Pause before you act. Scammers turn up the emotional heat to pressure you to act quickly. They create urgency by insisting that time is running out, or by threatening you with severe consequences if you don't act now. These are telltale signs of a scammer.
- Don't respond to communication from unfamiliar senders. If you receive a message from a sender you don't know, such as a company you don't do business with or a strange phone number, don't respond. Responding at all, even just to say "stop," tips the scammer off that your number is live, which can lead to more spam. Instead, block unwanted messages without replying.
- Don't click any links. Smishing texts may include links that could infect your device with malware or to lead you to enter your information into convincing website spoofs that masquerade as sites you trust. Don't click on any links embedded in a suspicious text.
- Contact trusted parties directly. If you receive a suspicious text claiming to be from a sender you believe has a legitimate reason to contact you, communicate with the organization through a known, trusted channel, such as by navigating to their website or calling them directly.
- Keep your devices secure. Keep your cellphone safe from hackers by keeping your software up to date. Phone operating systems such as Android and iOS regularly receive patches designed to close up security holes, so neglecting to install updates can leave you vulnerable to cyberattacks. Make sure all your apps are kept up to date as well.
What to Do if You're a Victim of Fraud
Smishing and other types of fraud are prevalent and, unfortunately, scammers can be convincing. If you've given a scammer your information or clicked on a suspicious link, act quickly to minimize harm:
- Secure your devices. If you believe your device is compromised with malware, take steps to remove it. Ensure that your security software is updated on your cellphone or personal computer, and then run a virus scan.
- Secure your finances. If you gave a scammer your financial information, contact your issuer or bank to report that your information has been stolen. Continue to check your account for fraudulent transactions and dispute them as quickly as possible.
- Secure any compromised accounts. Create new passwords for any accounts compromised in a smishing attack. Make sure to use unique, strong passwords for each account and consider storing them in a secure password manager.
- Secure your credit. Monitor your credit file for signs of identity theft. Experian IdentityWorks℠ allows you to lock your credit file and receive dark web surveillance, monitoring across all three credit bureau reports and real-time alerts if someone attempts to open credit in your name.
- Report the fraud. The Federal Trade Commission (FTC) collects scam reports at ReportFraud.ftc.gov. You can also report identity theft through the FTC's IdentityTheft.gov, where you'll also receive advice on next steps to take.
Check Your Credit for Signs of Identity Theft
Smishing scams are an ever-present threat, but knowing the signs of fraud can help you protect yourself and your loved ones. In addition to being proactive, monitor your credit report for signs of fraud.
Scammers sell stolen information on the internet, where it can be bought and used for identity theft, hacking, spam and robocalls. Experian's personal privacy scan searches people finder sites for your information and tells you what information has been compromised so you can take action.