Can You Spot a Sophisticated Text Message Scam?
When Patrick Sage received a text message from his bank claiming that someone was trying to make a purchase for over $500 at Walmart, he acted quickly.
Sage called the number in the text and followed instructions from the person he thought was a Citibank employee about how to transfer his money to a friend’s account to keep it secure. His friend even received confirmation texts of the transfer. But no money.
Instead of protecting his hard-earned cash, Sage unknowingly gave scammers access to his bank account — and they stole over $7,500.
Sage was the victim of a smishing attack. Scammers send fake text messages claiming to be from your bank, the Internal Revenue Service (IRS), or a company that you trust — and then trick you into clicking on malicious links or giving up sensitive information and money.
Since 2020, the number of smishing attacks has grown by more than 328%, with victims losing over $3.5 billion [*].
Scammers love using text messages, and their smishing attacks are only getting more sophisticated.
In this guide, we’ll cover how smishing attacks work, the latest smishing scams you need to know about, and what to do if you receive, respond to, or click on a link in a smishing message.
What Is Smishing? How Does a Smishing Attack Work?
Smishing — a shortened version of “SMS phishing” — occurs when scammers send you fake text messages claiming to be from a company or organization that you trust. Smishing attacks commonly impersonate banks, the IRS, FBI, and DMV, or companies like Amazon, PayPal, and Apple.
An example of a smishing attack. Scammers pose as Netflix to try and get you to click on a malicious link. Source: Aura team
The goal of a smishing attack is to get you to click on a link to a phishing site, download malware onto your device, call the impersonators (so they can continue their scam on the phone), or give up sensitive data — such as passwords, banking information, or your Social Security number (SSN).
Here’s how a typical smishing attack works:
- First, scammers send fake text messages to your mobile device that look legitimate. They may even spoof the number to make it look like the text is coming from a local or official phone number.
- The message will create a sense of urgency — either by claiming that your account has been hacked, someone is making fraudulent purchases, or you’ve won a prize.
- Next, the cybercriminal prompts you to click on a link or call a phone number. But any action you take continues the scam.
- If you click on a smishing link: you’ll be taken to a fake website designed to steal your sensitive information. Some smishing links contain cyberattacks such as spyware and malware that allow hackers to scan your device for personal data and passwords.
- If you call the scammers: they’ll continue the fraud, even using stolen personal information to make you trust them. In the case of Patrick Sage, the scammers had the last four digits of his bank account, which convinced him they were legitimate.
Smishing is dangerous because few of us understand the true risks of opening or interacting with a text message scam. Even replying “STOP” or “NO” could put you at risk of further scams.
The bottom line: Delete unsolicited text messages and never click on links. If you’re concerned about what a message says, contact the company directly by using the phone number or contact information found on their official website.
Smishing vs. Phishing vs. Vishing: What’s the Difference?
Smishing attacks use text messages as their mode of delivery. But while it’s easy for scammers to send millions of fake text messages, it’s unlikely that you’ll respond with high-value information (like your password or financial information).
Instead, smishing often leads to other, more dangerous types of imposter scams.
Smishing attacks are often designed to ensnare victims in these three main types of phishing scams:
- Phishing is the general term used for imposter scams, but it is often used to refer to scam emails. Smishers will sometimes follow up with an email phishing attack in hopes that you’ll click on a malicious link.
- Vishing refers to “voice phishing.” Any time you get a robocall, unsolicited phone call, or call a number in a smishing text, you’re being targeted by a vishing attack.
- Pharming refers to fake websites that scammers use to continue their phishing and smishing attacks. Many scam emails and texts contain links to websites that steal your personal information. For example, scammers may create a website that looks like your bank’s login page, and then send you a smishing text claiming that your account was hacked and you need to update your password. But when you enter your current login information on the fake website, it goes straight to the scammer.
No matter the mode of delivery, all of these scams can lead to disastrous consequences, from lost money to full-on identity theft.
Hari Ravichandran, “What is Smishing? How To Spot & Avoid The Latest Text Scams”, aura.com, Nov. 10, 2022
You can always contact us at [email protected] or by calling (732) 780-8615 if you have any questions about what you can be doing to put your business in the best position to avoid a cyber security breach.