The average person these days is savvy enough to spot an email scam, which is why scammers have turned to text messages. Smishing (phishing via SMS) is on the rise, but here’s how you can avoid falling prey to it.
What Is a Text Message Scam?
The tactics of a text message scam are virtually identical to those used in a standard email phishing scam. “Phishing” is when someone acts like a representative of a legitimate business or institution to steal personal information, like your credit card details, bank account information, or social security number.
It normally starts with an email that seems legitimate. Within the body of the email, there’s a link to an “official” website that’s designed to trick you into giving away your login credentials, personal details, or money. The website is usually indistinguishable from the actual company’s, including the branding.
“Smishing” (a portmanteau of SMS and phishing) works almost identically. The scammer sends a text message with a link to potential victims. Normally, the message invites you to verify your account details, make a payment, or claim a prize.
— Alex Kovach (@kojach) February 7, 2020
Crafting a phishing email that doesn’t immediately raise suspicion requires some skill. The scammer has to be mindful of branding and tone and make sure the email is error-free. He also has to hope a spam filter doesn’t catch the email.
Because SMS is such a basic form of communication, fraudulent messages are a lot harder to spot. Text messages are short, which leaves little room for obvious spelling or grammar mistakes. Also, URL shorteners are common in text messages due to the 160-character limit.
This opportunity hasn’t gone unnoticed by scammers. Sending text messages en masse from a web interface is cheap and easy to do. While there is evidence of mobile carriers using spam filtering techniques similar to those of email providers, many smishing attempts slip through the net.
There are plenty of other scams circulated via SMS, as well. Social engineering, in which a scammer messages you directly and attempts to gain your trust is also a problem. This type of scammer often uses phone calls and emails in addition to SMS messages to appear more legitimate.
Here are six things to keep in mind the next time you receive an unsolicited text message that invites you to click a link.
Number One: Is the Message Relevant to You?
Scammers will try anything to get you to click on their link. For example, they might say you’ve won something. But did you enter any sort of competition? You might be notified that you have a parcel to pick up, but are you expecting anything?
Sometimes, it’s a gift card for a store where you don’t shop. Other times it’s a final notice for a bill you’ve never received before. I’ve received messages about “prizes” from airlines I’ve never flown with—and how often do airlines give away prizes, anyway?
Always remember the golden rule: If it seems too good to be true, it probably is.
Number Two: Don’t Tap Links in Suspicious Messages
Most text message scams include a link, and, usually, the URL doesn’t match the company name. However, even if it does, you have no way of knowing whether it’s safe or not. Some of these scams are designed to spread malware, and, sometimes, all that requires a tap (or click) on a link.
To be safe, avoid tapping links in unsolicited text messages. In August 2019, people who own iPhones were exposed to malware simply by visiting a URL in Safari due to a zero-day exploit. While this was the first (and, as of this writing, only) exploit of its kind, it’s a reminder that you should never trust a random link.
If you do happen to tap a link, you might be redirected (often multiple times) to a different website. If you the address bar in your browser bounces you from one website to another in quick succession, that’s a good sign you’re being hit with a scam.
Number Three: Don’t Fall for a Convincing Website
Suppose you accidentally tap a link without giving it much thought, and you see a very official-looking website. Some scammers are adept at producing websites that appear identical to the companies they’re trying to imitate. Don’t fall for it!
A glance at the address bar should confirm any suspicions. Take a look at the example below from the Australia Post scam. The URL in the highlighted address bar doesn’t match that of the official Australia Post website, which means it’s a scam. However, some scammers go to great lengths to make their URLs look convincing, too.
It’s surprisingly easy to create a carbon copy of a website simply by downloading the page and uploading it elsewhere. Sometimes, the whole website functions as it normally would, including the “About Us” links and other unrelated content.
Number Four: Pay Attention to the Grammar
A large percentage of smishing attempts originate in countries where English is not the official (or first) language. As a result, many scammers make spelling or grammar mistakes that should be relatively easy for a native speaker to spot.
This might be as simple as a misplaced word, improper capitalization, or a sentence that just seems “off.” Check out the double-space error in the message below. You also see incorrect capitalization, missing punctuation, and a URL that was incorrectly pasted mid-sentence.
Of course, not all scammers are from non-English-speaking countries. Many have a solid grasp of the language and understand how to make the bait look genuine.
Anecdotally, though, the vast majority of smishing attempts I’ve received have contained obvious grammar or spelling mistakes.
Number Five: Don’t Trust a Personalized Message
In many of the examples in this article, the scammers managed to get my name right. This sort of personalization could lead some to believe the message is genuine. You might receive a similar message trying to impersonate your bank, ISP, or cell provider.
Unfortunately, chances are high that some of your personal information has been leaked online. Data breaches are common, and they allow scammers to piece together information that makes them appear more legitimate.
For example, they might know your address, which smartphone you use, or your social media handles.
Number Six: Suspect It’s Real? Contact the Company Directly
One of the most common smishing attempts of late is the postage scam. The message appears to be from a postal service informing you that you have to pay additional shipping costs on a package or verify your address. The landing page says the package will be returned to the sender if you don’t pay to create a sense of urgency.
My partner received the smishing attempt below last week. Despite the official-looking tracking number and a carbon copy of the Australia Post website, mail handlers don’t attempt to collect overdue shipping costs via text message. They also won’t send your package back within a few days of receiving it. Due to these inconsistencies, the scam was exposed.
A quick search led me to a page on the AusPost website describing the scam. We also previously explored the FedEx package delivery scam. If you receive a similar SMS, search the web for “USPS (or the relevant delivery service) text message scam.”
Social engineering attacks can be a lot harder to spot—particularly if you already think the person you’re talking to is who they say they are. One easy way to spot such a scam is if the other party is asking for payment or donations in gift cards, as they did recently in Louisville, Ky.
It’s well-established that companies will never email, text, or call you and ask for payment. If you suspect an overdue bill or postage fee isn’t legitimate, contact the company directly before you give out any information. If someone is soliciting donations, make sure you donate to the organization directly, via its official website, at a point of sale, or a collection box rather than via text.
Be Careful Out There
Be skeptical of any text messages you receive that aren’t from friends or acquaintances. If you keep these basics in mind, you won’t be tricked into giving up cash or your personal information.