A combination of the words SMS and phishing, smishing is a type of cyberattack where the perpetrator sends an enticing text message in hopes of getting the recipient to click on a link.

When successful, smishing attacks let hackers access a user's credentials or other private information. The goal may also be to get the victim to download malicious software onto their devices.

Smishing is becoming increasingly popular because most people are already aware of the dangers of clicking on a malicious link in their email. However, fewer people realize that dangerous links can also be sent via text message.

How Do Smishing Attacks Work?

Smishing attacks are very similar to phishing attacks. The attacker sends an alluring text message with a link. If the victim clicks on it, they'll be prompted to enter sensitive data or download malware onto their device.

Most Smishing Attempts Are Conducted to Access Personal Data

Common targets of smishing attacks include:

  • Online credentials
  • Personal details that could be used to steal someone's identity
  • Personal or financial information that could be used on the dark web or to conduct online fraud

Attackers use many tactics to get people to trust the message they've been sent, such as addressing them by their name or citing their address to convince recipients that the message is coming from a trusted source.

Sometimes social engineering is involved in a smishing campaign. For instance, the attacker might start by calling the victim to get their personal information before sending them a text message.

What Happens If You Click on a Smishing Link?

In many cases, a smishing attack aims to trick users into downloading malware onto their mobile phones. The malware then combs the device for personal information that gets sent to a server controlled by the attacker.

What Do Hackers Do With Stolen Information?

There are many things hackers can do with your stolen information, such as:

  • Using your debit or credit card information to make fraudulent purchases
  • Accessing your bank account
  • Submitting fraudulent medical claims or using your health insurance to access medical care
  • Filing a tax return or applying for unemployment under your name
  • Applying for a loan or credit card in your name
  • Committing crimes under your name
  • Applying for a fraudulent passport or driver's license
  • Changing your billing address in order to benefit from services you've subscribed to
  • Renting an apartment in your name
  • Selling your personal information to other criminals on the dark web

Smishing Scam Examples

Attackers often automate their messages to reach several users at a time, using a VoIP service such as Google Voice, which makes it impossible to know where the SMS phishing message is coming from. As a result, smishing attacks may look like they're coming from within North America, but the user may be based anywhere in the world.

One common smishing attack involves the attacker pretending to be the Internal Revenue Service (IRS) or Canada Revenue Agency (CRA) and threatening the recipient with legal action unless they call the number provided. If they call the number, someone asks them for their personal information or tries to convince them to send money to avoid being arrested.

Another common tactic involves telling victims they've won a contest or are eligible for a free perk from a well-known company or service. The message contains a link. If the user clicks on it, they're directed to a fake site where they're asked to share personal information or download malicious software that will steal their information without their knowledge.

Warning Signs

How to Tell a Smishing Attack From a Legitimate Message

Just like phishing attempts, smishing messages tend to be sloppy.

Keep an eye out for spelling mistakes, odd grammar or informal language. These tend to be your first clue that the message you've received was not actually sent by the company claiming to be sending it.

Things to Keep in Mind

The IRS doesn't communicate with taxpayers via text message, nor does the CRA. If a government body wants to communicate with you, they'll usually send you a letter through the mail.

Similarly, most banks and companies won't communicate with you via text message or email.

If you have any doubts about a message you've received, you can always contact the company by calling them using a phone number you know to be genuine. To be sure, always double-check the phone number on the company's official website using a URL you've typed into your browser yourself. Links in emails or text messages are not to be trusted!

How to Protect Yourself From Smishing Scams

Look out for the following signs:

  • Messages that promise quick money or claim you've won a prize
  • Messages containing coupon codes and other offers you never asked for
  • Messages from banks or financial institutions
  • Messages from phone numbers you don't recognize
  • Messages from phone numbers that don't have the right amount of digits in them or with an area code that isn't local

How to Avoid Smishing Scams

To protect yourself from smishing attacks, avoid storing sensitive information such as banking details and passwords on your cell phone or any other mobile device. By doing this, even if malware were to be installed on your device, criminals wouldn't find any personal information to collect.

You can also report smishing attempts to the FTC or the Canadian Anti-Fraud Centre.

Protect Your Company Against Phishing Scams

To protect your company against smishing and other phishing-style attacks, it's important to educate employees about the risks of smishing and how to recognize a potential attack.

The following tips will help protect your company against smishing:

  • Be suspicious of unsolicited text messages, especially ones that ask for personal information or contain links.
  • Don't click on links in text messages unless you're sure they're legitimate.
  • Use a secure, password-protected internet connection when accessing sensitive information.
  • Install and regularly update antivirus and malware protection software on all company devices.
  • Use multi-factor authentication for all company accounts and systems that contain sensitive data.
  • Have a plan in place to respond to a smishing attack, including reporting the attack to the appropriate authorities.

Taking these steps can help protect your company and employees against smishing scams. Remember to always be cautious when it comes to unsolicited text messages, and never give out personal information or click on links without verifying their legitimacy first.