How to Avoid Getting Smished

How exactly do you get smished?

It happens when you become a victim of smishing. You might not have heard the term. I know I hadn’t until I stumbled across it while researching on the web. But if you’ve heard of “phishing”, it’s the same thing, just done via SMS messaging.

The way it works is someone, a hacker or criminal, sends you an SMS message that appears to be from a legitimate source – such as your bank or mobile carrier. The contents of the message are usually alarming. For example, your bank account has been frozen or compromised.

In the message they provide you with a link to a website or a phone number to call to fix the problem. If you click on the website, it will either download malware onto your phone or steal the account information you provide to login into what you think is your bank, or carrier. Once they have your account information, they can take your money or make purchases with your money.

Every step you take following the message directions usually looks genuine. They make the website look like your bank (cybercriminals pick big banks that many people use). The login page looks like the login page.

So you do what most people would do, you login.

What happens if you call a number they provide? The same thing, but usually you are connected to a live person who is skilled at getting information out of people. They’ll know the terminology, they may know your name and address. Before long you’ll be reading your credit card information to them because they sound legitimate.

While the term “smishing” was new to me, the concept isn’t. Criminals have been using the same techniques via phone and email for years. Smishing too, as it turns out, started some time ago. But it has surged in the last couple of years.

According to an article on BBC, Interpol has identified social engineering (which smishing is), as “one of the world’s emerging fraud trends”.

In 2015, nearly £675m was lost due to social engineering fraud. It’s bound to continue to get worse because more and more people are using smartphones.

The risk for SMS users isn’t any greater than for email or phone. But what makes it so scary is that people haven’t been educated about it. By now most people know not to click on links in spam emails, or they have anti-virus and anti-malware software that warns them not to do so.

SMS messaging is so immediate, convenient and personal that it catches people unaware. And most people probably don’t have any apps on their phone checking for spam and blocking calls and messages.

1. Carefully consider the message. If it’s something that doesn’t make sense to you, question it. Don’t react immediately by doing what they ask.
2. Don’t click on links or call the numbers provided.
3. Go directly to the source. Instead of clicking links or calling, type in the URL of your bank, or call the bank number you find on your credit card or statement. (NOTE: Many articles suggest calling from a different phone if you have already clicked or called the number in the message. Apparently sophisticated hackers can hijack your phone and redirect a call to their call centre and not the actual bank).
4. Block the number. Once you determine that the message was spam or a smishing attempt, use the built in ability in your phone to block the call. Most have this, but you need to do it manually unless you download an app to do it for you.
5. Report the number. All spam messages can be reported to the ICO who can take action on the offenders. You can find the information on how to report on their website here.

The best defence against smishing is awareness. There are apps you can download onto your smartphone that claim to automatically detect spam and block calls. But your knowledge and intuition are also important because no app will be perfect.

Have you ever gotten a smishing message? Do you have a favourite app you use to block spam messages? Please share in the comments.