How to avoid smishing attacks
If you’ve recently received a series of suspicious messages from unknown numbers pretending to be the USPS, your bank, or some other large corporation asking you to solve an urgent problem, you’re not alone. Hopefully these bizarre writings have set off your shadow alarms and kept your left-clicking fingers at bay because these texts are not legitimate. They’re a relatively recent iteration of the phishing scam, where thieves hiding behind the opacity of a screen hope you’ll buy their business disguise enough to give them what they want. This text-centric update on the classic scam is dubbed Smishing, a portmanteau of SMS and phishing.
But don’t have a guilty conscience if you briefly considered such texts to be plausibly authentic. They are smartly made to capitalize on this unique moment in technology, a time when the perils of an increasingly complicated online economy are leading us to seek additional guardrails like using SMS for two factors of relative simplicity return to the dumbphone era Authenticate or receive text notifications when a package has been delivered. But since even the smartest of us have days off or unfocused moments when a smishing scam might sneak by undetected, we’ve put together a guide on how to spot and avoid them.
Gmail has correctly determined that this email is not from the real Illuminati.
Photo credit: Screenshot: Gmail
This is how smishing works
Smishing scams work on the same principle as the email phishing scams that gave them birth, but they are much easier for scammers to use. Scammers send a series of official-looking messages from a fake number, soliciting user logins or other important/sensitive information which can then be used for ID theft and account theft.
While email services have gotten pretty good at weeding out the bad stuff over the decades, phone carriers and manufacturers are still in their infancy Development of spam filters. Additionally, the general public has gradually become better educated about phishing threats. So instead of wasting energy trying to recreate the look and language of a real Bank of America email that not only fools AI filters but also the end user, scammers have taken the much easier route of dividing SMS messages into tons of Shooting text messages numbers hoping some jerk will take the bait.
In rare cases, the malicious message attempts to trick the recipient into installing data-gathering malware disguised as a legitimate app. This method is more common for Android users as it uses both the most widespread smartphone operating system on the planet and also the operating system that gives users more freedom to download apps from unverified sources.
Recognize the scams
It’s much harder to label smishing text by appearance alone than it is to spot an “off” looking email as a phishing scam. Many of the authentic text messages that companies send look pretty ugly and weird, especially compared to the kind of text formatting we’re used to seeing from our friends and family. These aesthetic problems have countless causes. The company may have outsourced the task to a third party. Formatting can get messed up on the way from a computer drafting program to SMS (which can vary further from carrier to carrier). The human who created the message template might just have had an odd sense of what “official” looks like.
Image Credits: Screenshot: iMessage
Moana failed to consider human error as the cause of her misspelled name
Photo Credits: Screenshot: Whocallsme
This type of corporate communication is still so strange and unfamiliar that sometimes even real texts are mistaken for fraud. Take this text from Ikea, for example, about the Waitline queuing service. It was sent and received in connection with a return in good faith at the company’s Burbank, California store. But as Google revealed the phone number it was sent from, many people wrote off the message as fake.
think about it
Ultimately, you are your own best line of defense against scammers, and one of the easiest ways to avoid them is to simply use common sense when shattering news comes your way. Do you even bank with Chase? No? They are unlikely to lock you out of your account if that account doesn’t exist. Are you expecting a package? From DHL? Still, it’s a good idea to check your email for an order receipt and/or a tracking number to look up the shipment yourself, rather than clicking on a random link in some text. And – this shouldn’t surprise you – you have not and will never win a prize where you are asked to collect it by clicking on a link sent from an unknown number.
Check the sender
Let’s say this suspicious company text is said to be from a company that you actually use. Your next step should be to verify the sender. The VOIP services used to send such messages mean that they almost always show up as green bubbles for iOS users. Additionally, iMessage allows emails to be sent along with SMS messages, so some spam messages that used to easily get stuck in Gmail’s filters are now given a second chance at success in your messages. But a simple check of the sender’s contact card can often reveal an email address that’s a jumble of letters and numbers and is definitely not from the real company.
Image Credits: Screenshot: iMessage
A look at the sender is often enough to determine the authenticity of a text.
Photo credit: Screenshot: iMessage
Also, be wary of messages coming from numbers like “5000,” which indicate email-to-text services commonly used by scammers.
Check the text
Smishing texts often contain telltale clues as to their inauthenticity. First, look for obvious freebies like misspelled words, odd punctuation, incorrect grammar, or incorrect extra spaces between words and punctuation. No Fortune 500 company sends such sloppy communications.
Watch out for messages that urge you to act quickly or that have a limited time. Scammers hope that a stoked sense of urgency will make you abandon your common sense.
Text often shortens URLs, which smishers use to their advantage. Their scam works by convincing the user to click on a link to a shady website, so they often create a URL preloaded with legitimate appearing bits and hope that the phone’s URL shortening logs will provide the more obvious parts given away of the address, which are filled in at the back . It’s a good rule of thumb to never click on a link sent by someone you don’t know. If you’re seriously concerned about a claim a smisher is making in their decoy text, you can always investigate by logging into your account using the normal methods or looking up the real customer support information yourself.