Five tips to help avoid smishing scams

May 8, 2024 | 5 minute read

Key takeaways

  • Smishing is phishing delivered by text — known as short message service, or SMS — to mobile phones and messaging applications.
  • A phish is any type of electronic communication that aims to steal personal or proprietary information for fraudulent purposes.
  • Be wary of responding to text messages from an unknown sender, especially if the message includes a link, asks for money or sounds urgent.

Smishing is a fast-growing version of one of the internet’s oldest and most successful scams. Like any other type of phishing, smishing aims to trick you into handing over sensitive data and information — only instead of using email, cyber criminals send their messages via text or short message service (SMS). Smish attempts are typically sent to mobile phone users as standard texts, but they can also be sent via popular messaging apps.

 

Smishing is a form of social engineering, where scammers exploit emotions like fear, sympathy, curiosity or greed to get individuals to divulge personal or business information. They do this by sending fraudulent texts to your phone or other mobile device, purporting to be from a trustworthy source, such as a delivery service, utility company, bank or government agency. The information they seek could include usernames, passwords, credit card numbers, bank account numbers, vendor names or other proprietary data. Cyber criminals then sell that data on the black market or use it to commit identity theft, empty bank accounts or redirect payments to themselves.

11,954

The amount of reported smishing attempts to the FCC in 2023.1

Criminals also use compromised phone numbers and spoofed or hacked accounts on popular messaging platforms to fake their identities. Smishing messages often contain links that take users to a website that may look legitimate, but actually steals usernames, passwords and other data when people log in. Some messages can even secretly install malware on victims' mobile devices.

 

Smishing has become more common, especially during the pandemic. In fact, non-email-based phishing attacks are also proliferating, with vishing (voice phishing), smishing (SMS phishing), and quishing (QR code phishing) increasing sevenfold in the second quarter of 2022.

 

Smishing is potentially more appealing to cyber criminals because users are more inclined to trust texts over other forms of communication. In fact, people respond to 45 percent of their texts while only 6 percent of emails receive a response.2 This is likely due to years of email over-saturation; inboxes inundated by promotional offers and spam have trained users to become more suspicious.

 

Common smishing scams

 

Making false promises

Criminals employ a wide variety of smishing tactics to convince people to part with personal data — and money. They may make false promises of:

  • Gift cards, prize money, or other winnings
  • Low-interest or no-interest credit cards
  • Coupons and other discounts
  • Student loan debt forgiveness

 

Posing as legitimate companies

Smish attempts may also allege to be from legitimate companies with questions about your account or transaction. They may:

  • Claim to be a customer service representative needing to verify account information
  • Want to discuss a recent suspicious charge or problem with your payment
  • Send a fake invoice and ask you to contact them if you didn’t authorize the purchase
  • Pretend to be a package delivery notification or tracker

 

Preying on charity

Smishing criminals may even prey upon your charitable impulses by:

  • Requesting donations after a natural disaster or other catastrophic event, such as hurricane or wildfire relief
  • Posing as people you may know, such as a community organizer or politician, who would collect monetary contributions   

Five ways to protect against smishing

  • Don’t click hyperlinks in texts from suspicious or unknown numbers. This is doubly true if the link is a short, abbreviated URL. When used in SMS messages, shortened URLs are often an indicator that cyber criminals are trying to mask overtly fake URLs.
  • Be wary, if urged to pay or give out sensitive information pause and verify if the source is legitimate and trustworthy.
  • Never respond to texts from unknown or suspicious numbers – even to tell them to stop. Doing so will let scammers know your number is active, and you could be added to spam lists and harassed further.
  • Always keep your phone’s operating system up to date to protect against malware hidden in smishing links.
  • Pay attention to social engineering red flags, such as urgent messages or get-rich-quick fixes. If it seems too good to be true, it probably is.
  • Don’t trust texts asking for personal information, especially if they purport to come from real organizations. Remember that government agencies and legitimate companies — including Bank of America — will never text you asking for account details. If there’s any doubt, contact that person or organization through another trusted channel.

1 Forbes 

2 Gartner

Back to Homepage

Explore more

How to protect your business from deepfakes

  

15-minute read

Proving identity and protecting credentials in a work-from-anywhere world

  

9-minute read

Important Disclosures and Information

 

Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.

 

Not all materials on the Center for Business Empowerment will be available in Spanish.

 

Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.

 

Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.

 

Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S" or “Merrill") makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp."). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.

 

Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.

 

“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.

 

Investment products:

 

Are Not FDIC Insured Are Not Bank Guaranteed May Lose Value