Smishing – yes, that's not a typo – is a category of fraudulent activity that thousands of people fall for every year. This guide will tell you everything you need to know about it so you can spot the scam and save yourself.
What is Smishing?
Smishing is a portmanteau of 'SMS' and 'Phishing'. Phishing is a popular scammer's practice that involves sending emails purporting to be from a legitimate business/company that often contain malicious links designed to help them steal your information.
From this description, you can probably guess what smishing is – it's effectively the same process performed as phishing but through text messages instead of emails. In recent years, smishing has also taken place on messaging services like WhatsApp and Facebook Messenger.
Why has it become so popular?
When the general public starts to become aware of one type of scam on a certain platform, criminals will either change the scam or change the platform they're performing it on. In this case, they're just re-appropriating the Phishing scam to a new medium of communication.
Many more people are aware of the dangers of email fraud than a decade ago, as well as what fraudulent emails look like. Many scams won't even be opened because we all have handy spam folders built into our email accounts. So naturally, they've moved onto a medium we don't associate so heavily with scams and criminality.
On top of this text messages are, unfortunately, just an objectively easy platform to scam people on. Young people often receive hundreds of messages and offers via text on a daily basis. For this reason, many smishing attempts are successful because the victim is simply not concentrating.
We're also chemically addicted to texts in a way we aren't to email. When you receive texts, you get a rush of dopamine that (surprisingly) isn't matched when you receive an email about a 50-page document you need to read for work.
What do smishing texts look like?
Here's an example of a smishing text that was received in the United Kingdom in 2024. As you can see, the scammer makes sure to kick off the message with the name of a legitimate business – Lloyds is a widely-used and trusted bank that hundreds of thousands of British people receive text and email correspondence with:
The smishing email also features a copy of a common 'format' we're all used to seeing in official correspondence from companies we use the services of – a notification that someone has logged into your account and a request to verify the login attempt. Most smishing formats are chosen because they evoke a sense of urgency in the victim.
Another important thing to note is the URL provided – Successful smishing emails often have URLs that could pass at a glance as proper links to the company's site. Often, this includes creating a URL like the one above where the name of the company (in this case Lloyds) appears to be spelled correctly. Sometimes they're slightly less subtle and include an extra letter, like this one from the US:
Other scammers utilize symbols that appear almost indistinguishable from standard alphabet letters to fool those who don't take a closer look. In one example from the UK, the scammer's URL had the domain name 'Ałdi' instead of 'Aldi.' Can you see the tiny, horizontal dash through the 'L' in the first one? If you had to squint or thought it was just a mark on your screen, you can see why this type of fraud is so successful.
What do smishermen want?
Some smishing messages will, when the link is clicked, take you through to a malicious website where you're asked to type in personal information. Others may install malware or ransomware on your device masquerading as a legitimate app, and if you use it, it'll steal your data.
Some of these scams are more subtle than others, and it's not always possible to know what's running on your device in the background – some go undetected for weeks. Smishermen want your personal information like passwords so they can:
- Access and steal money from your bank account
- Obtain confidential information that can be used as ransom
- Retrieve sensitive information about the business you work for
- Send the smishing text message to your contacts
How can you protect yourself from smishing?
Be aware of what you're up against. Scammers are getting better and better every day at mimicking the landing pages of legitimate websites, and there are some reports of such pages being hosted on domains owned by legitimate companies. This means you need to treat messages from companies with the utmost caution. Steps you can take to protect yourself include:
- Never click a link in a text message that you aren't expecting
- Don't store credit card information on your smart device
- Contact the company purported to have sent the text to check
- Never change your account information via text message
- Block all calls from strange-looking phone numbers (i.e. '5000')
It's also worth remembering that you're not going to be the only one who's received the smishing text. There will likely be thousands of others that do too. That's why it's always worth Googling the company's name along with the phrase 'text message scam' as it might get you your answer quite quickly. The same goes for social media – businesses are often informed of scam messages purporting to be from them on Twitter by people mentioning the company's @handle.
If you can't find anything, however, this should never be taken as an indication that links in the message are safe. Rather, it's just a quicker way to root out the most popular ones going around.
If you have a commercial relationship with a company and experience of going through their legitimate customer service processes, treat any attempted communication or request for information instigated outside of those processes as highly suspicious and probably fraudulent.
Smishing in times of crisis
Instances of both phishing and smishing rise in prevalence during times of crisis, so whilst the pandemic still rages across all corners of the earth, it's important to be extra vigilant when it comes to the mail you receive.
One of the reasons this is the case is that it's much easier to manufacture a superficial sense of urgency in front of a backdrop of something that requires genuine, real-life urgency, such as a pandemic.
It's no surprise then that people in the UK, as well as various other countries around the world, have been receiving smishing texts purporting to be the government.
What do I do if I've been smished?
If you've already fallen for the scam, there's not much you can do other than limit the damage the scam can do.
- Immediately change all of your passwords and sign-in credentials
- Disconnect the device from your home wi-fi network
- Contact your bank and inform them
- Keep an eye on your bank/email/social media accounts
- Scan your phone with antivirus software
To truly protect yourself, any text you receive that isn't from a friend's phone should be treated with a level of caution. In a pandemic that's even more important, as the scammers always look to capitalize on the sense of urgency evoked in periods of crisis.
Now you know what to look for, hopefully you'll be able to spot them in the future!