Smishing, a combination of the words “SMS” and “Phishing,” is a type of cyber-attack that targets individuals through SMS or other forms of text messages.  

Smishing attacks are like email-based phishing attacks where scammers lure victims into sharing personal information by clicking malicious links, downloading harmful files and software or via chat messages. They typically disguise themselves as trusted sources and use social engineering tactics to manipulate the victim into taking undesired actions. 

Identifying Smishing Attacks

Victims can be randomly or specifically selected based on data obtained via paid sources. This can include a victim’s address, full name, relatives’ information and even recent purchases. By analyzing the data, scammers create a personalized message that invokes emotion that urges readers to act. This could result in victims clicking the link, replying with personal information or downloading suspicious files.

Smishing red flags to be aware of: 

  • Threats of prosecution if the user does not call a number or click a link.

  • Informal language being employed in serious matters.

  • Links that look different from the official bank/company/service address.

  • Promises of money or benefits that are too good to be true. 

  • Messages from unexpected senders.

  • Vague wording that doesn't fully explain the reason for contacting you.

  • Banks asking for card numbers, ATM PINs or banking information. 

Links like these usually mimic official websites from banks, businesses and other familiar institutions, and prompt the victim to share information like passwords and other personal information that can be used to commit identity theft, unauthorized transactions or data-selling tactics. 

Preventing Smishing Attacks

Basic IOS and Android features, as well as several telecommunication companies, try to prevent spam messages from reaching your phone, or at least label them as “potential spams.” But it’s important to notice that those systems are not perfect. You should always vet your text messages just as you would a suspicious email. 

To prevent help prevent attacks, there are some best practices you can follow:

  • Never click on any links, call any number or download any applications unless you're absolutely sure they're safe.

    • The same goes for sharing personal, banking or account information.

  • Activating Multifactor Authentication (MFA) on your accounts can protect your information, even if you fall victim to a smishing scam. 

  • Avoid storing banking information on your mobile device, as it can be compromised after an attack. 

  • If you're unsure if the sender is legitimate, try contacting the company/bank/service provider independently.

  • Keep your device and apps up to date with the newest security patches. 

  • We highly encourage you to remain vigilant and to maintain a healthy dose of skepticism. 

If you come across any suspicious messages, email them to abuse@umsystem.edu or contact your IT security office.