Woman reviewing a text message to determine if it is a legitimate text or if it is a smishing attempt.
18 October 2022

It’s more than likely that you have received countless unwanted phone calls from telemarketers or scammers using a robocall method. Given the relentlessness and illegal use of this type of outreach, robocalls have become one of the top consumer complaints to the Federal Communications Commission (FCC). As people have become more aware of robocalls, the latest and most successful fraudulent practice by scammers targeting unsuspecting consumers is utilizing emails and text messages.

What is Smishing?

You may be familiar with the term “phishing,” which is a type of cybersecurity attack carried out through emails. “Smishing” is a similar form of social engineering. The difference between phishing and smishing is that the latter is done through text messages. Criminals use these types of spam texts to bait you into taking actions, such as clicking malicious links that could compromise your personal information.

Smishing spam text messages are a fast-growing means by scammers to target consumers. In fact, it is estimated that more than 66 billion spam texts have been sent to U.S. phones through June of 2022, and it is projected that by year-end more than 147 billion spam texts will have made their way to mobile phones – nearly doubling the amount sent in 2021.1

Text message scams have led to big financial losses for Americans. In 2021, the Federal Trade Commission (FTC) reported that $137 million was lost by fraud originating in scam texts. 

How Does Smishing Work?

Smishing attacks have become a go-to for cybercriminals. They are carried out in 3 steps:

  1. A text message is sent out as bait that contains a malicious link.
  2. The link is clicked and a victim provides personal information.
  3. The victim’s information is used to commit fraud.

Smishing attackers assume the identity of a trustworthy source and send text messages that require a recipient’s immediate response or a request to execute an action. Such action could include responding to the text message or opening a link within the message. The smishing links will lead the victim to either download malicious software that installs itself on a mobile phone or a fake website that requests sensitive personal information. The attacker's goal can often be to directly steal from a bank account, commit identity theft, or convince a victim to send money.

What Are Examples of Smishing Attacks?

Criminals often reference your name, your financial institution, or specific places you shop, enticing you to click a malicious link or send a reply that contains private information. The information an attacker wants can be a number of things, including online account credentials or private information that could be used to commit identity theft.

Here are some common ways smishing attacks are carried out through text messages:

  • Financial institution notification about the interruption of services, unpaid bills, or the need to verify suspicious account activity.
  • Password reset request to gain control of an account.
  • Customer support representative claiming there is an error with your account and giving you steps to resolve it.
  • Tax season communication regarding money being owed or being refunded that directs you to a fraudulent website.
  • Delivery notification, which includes a link for updates to a delivery.

How to Avoid Falling Victim to a Smishing Scam

Smishing attackers capitalize on trust and emotion to manipulate a victim’s decision-making. They pose as legitimate organizations and use a personalized message delivered with a sense of urgency, which helps override any suspicion that the text message might be fake. The best way to protect yourself from a smishing scam is by not taking the bait. While text messages are a legitimate form of communication for many organizations, there are ways to protect yourself from falling for fake text messages. 

  • Do not interact with texts from unknown numbers – do not reply to or call the telephone number in the text message. To confirm the legitimacy of a text, call the phone number listed on the company’s official website. 
  • If a text is urging you to act or respond quickly, stop and think about it. Remember that criminals use this as a tactic to get you to do what they want.
  • Ignore and delete text messages notifying you of an alleged restriction on an account. Criminals use such tactics to bait you into clicking malicious links.
  • Do not click on any suspicious links sent via text.
  • Do not ever send credit card numbers, ATM PINs, or banking information to someone in text messages.
  • Only download trusted applications from an official app store.

Remember, Teachers will NEVER contact you directly to request any of your personal information!

What to Do if You Become a Victim of Smishing

It may be hard to decipher a smishing attack, but if you do fall victim, you should have a plan in place to help rectify the situation immediately. 

  1. Report the suspected attack to your financial institution.
  2. Freeze credit cards to prevent fraudulent purchases.
  3. Change all passwords and account PINs where possible.
  4. Scan your mobile device for viruses using an anti-malware app. 
  5. Monitor finances, credit, and various online accounts for unfamiliar activity.


The RoboKiller Report 2022 Mid-Year Phone Scam Insights