There was clearly something fishy afoot when Beth, a disabled 50-year-old from North Carolina who asked us not to use her last name, received two text messages saying she had money available to add to her phone's digital wallet.
One message read, "Beth put this in your wallet and use it whenever." The other said. "The balance on this account is yours. no be to share [sic]." Both messages included hyperlinks.
Beth had just become the target of "smishing," an increasingly common tactic criminals are using to commit fraud.
Instead of clicking on the embedded links, Beth deleted the messages and reported them to the Better Business Bureau, a business watchdog. "Money doesn't just drop in your lap," she told Consumer Reports, explaining why the messages raised her suspicions. Beth says she's been on high alert for fraud since being targeted by calls from scammers claiming to be officials from the IRS or Social Security.
The word smishing combines SMS, the primary technical format for text messaging, and phishing. As in other phishing attacks, the criminals masquerade as government workers, tech support representatives, long-lost friends, or financial institutions and try to lure people into divulging personal details that could lead to fraudulent credit card purchases or identity theft.
In 2018, the Federal Trade Commission logged 93,331 complaints about unwanted text messages, including smishing attempts. That was up 30 percent from the year before. And reports are continuing to climb in 2019.
Security experts say one reason for the increase in smishing is that these days people trust text messages more than phone calls or emails.
"Texting has replaced the phone call as the most popular consumer communication channel. So while we ignore phone calls, we are conditioned to respond to text messages—and phishers are using this to their advantage," says Al Pascual, a co-founder at Breach Clarity, which develops identity theft protection tools. Similarly, he says, "consumers' radars aren't up with text messages as they are with emails, and criminals are finding success because of it."
Banking Scams and Identity Theft
While Beth wasn't fooled, many others do get taken.
"With the adoption of SMS messages for two-step authentication, where a verification code is sent, people are more accustomed to receiving codes in SMS," says Javvad Malik, a security awareness advocate with KnowBe4, a firm that specializes in anti-phishing technology and phishing awareness training.
For instance, in late 2018, hackers in Ohio sent smishing texts to users pretending to be Fifth Third Bank, a regional banking institution that had recently introduced cardless ATMs—money machines that allow users to get cash using just a mobile phone.
The phony texts fooled about 125 victims into divulging their usernames and passwords, and, according to court records, the criminals stole $106,000 from ATMs in Illinois, Michigan, and Ohio. Four individuals were arrested in relation to the crime. The case is ongoing and, so far, one person has been indicted, in the District Court for the Southern District of Ohio.
And smishing can give criminals access to more than a victim's bank account.
Scammers "may send an SMS with a link asking to activate a credit card, and take users to a page asking them to input various kinds of personal information," Malik says. Victims can also be tricked into downloading malicious apps that can be used to intercept messages or quietly collect personal data.
With the right personal information in hand, criminals can use someone else's name to open credit cards, rent properties, and commit other crimes.
How to Avoid Smishing
"Criminals choose smishing because it works," says Pascual. Security experts like him say consumers can take several steps to protect themselves from suspicious-looking text messages.
- Beware of messages that claim to be from government agencies, such as the IRS or Social Security Administration. The IRS will never send you an unsolicited text message or initiate contact via text message, email, or social media. The Social Security Administration does allow marketing firms to send emails to raise awareness of Social Security's online services, and it uses text messages for two-factor authentication—but only if you've set up that security measure through your online account.
- A tell-tale sign that you may be under attack is that a message is trying to impart a sense of urgency. These types of scams often imply that an immediate response is required to take advantage of an offer or to avoid a penalty.
- Don't be taken in by friendly, familiar language. Smishing text messages may use your name. While they often come from unfamiliar numbers, sometimes they seem to have originated from a phone number you recognize.
- Never click embedded links from suspicious text messages. They can contain malicious code that could infect your mobile phone.
- Do not respond to suspicious text messages, even if the message says you can "text STOP" to prevent future messages. Any response on your part will confirm for the scammers that the number is in use—and you'll just be inviting more texts.
- Delete all suspicious texts.
- Make sure your phone's operating system is up to date. Android and iOS are constantly being updated with enhanced security features. On Android models and iPhones, your phone's settings page should indicate what system you're using and whether an update is available.
- If you get a suspicious text from an official-sounding entity and want to check it out, don't use any information from the message itself. Instead, call or email the company or government agency directly, using an official phone number from a recent bill or another valid source of information.
- You should also alert the attack to law enforcement by submitting a report to the FCC or the Federal Trade Commission.
