Every day, cybercriminals create new methods of obtaining private financial information from unsuspecting individuals, most commonly employing tactics like emailing strangers and convincing them to either share personal information or take an action that compromises their systems and devices. Known as “phishing,” these cybercrime attempts can also come by way of short message service (SMS) or text messaging, and when they do, it’s called “smishing.”
Scammers use smishing to prompt victims to click on internet links or send classified or personal information through texts and other messaging apps, making individuals vulnerable to identity theft and even extortion. However, understanding their methods can help you protect yourself. Here’s what to know:
Attacks Are Getting More Sophisticated
Cybercriminals often use a tactic called spoofing, where they impersonate a known sender or transmit messages from a legitimate number. Even if you know the sender, it’s still important to verify the message’s legitimacy before responding, opening an attachment, or clicking on a link that could potentially compromise your device.
Cybercriminals also share stolen credentials and personal information more readily now and work in gangs, ultimately amplifying the threat. Through social engineering of your publicly available information — often gleaned from social media — and private data procured illicitly, scammers are able to craft text messages specifically designed to lower your defenses. This means, communication may look like it’s being sent from a known person or number, possibly making reference to shared knowledge. Fraudsters may apply a sense of urgency or other scare tactic that prompts you to react quickly instead of taking the time to scrutinize a request.
Additionally, the ever-growing capabilities of generative artificial intelligence (AI) tools have made it easier for scammers to develop smishing attempts that closely mirror conversation, making it simpler and more affordable to distribute cyberattacks successfully to a large audience.
“Whereas previous smishing and phishing messages often didn’t make sense, as generative AI advances, these messages contain fewer grammatical or spelling mistakes. As a result, users are less able to distinguish them from legitimate communications,” says Raina Kanakis, a security specialist with PNC’s Global Security Fusion Center.
Simple Precautions Can Mitigate Risk
Vigilance is key, especially as attacks become more sophisticated. One way to verify senders’ identities is by cross-checking short codes — the five- or six-digit number used by companies to deliver text messages to your phone. Each of these unique codes is used for certain purposes — to transmit card activity alerts, for instance.
Many companies, such as PNC Bank, have established resources to enable customers to verify the legitimacy of text messages appearing to come from them. By referencing PNC’s Short Codes page for example, you can verify whether a text message originated from a legitimate short code, helping you detect and avoid possible impersonation fraud.
Use these additional strategies to help thwart smishing attempts:
1. If you are not expecting the message, proceed with caution.
2. Do not immediately respond.
3. Do not click on any links within a text message. Navigate to the URL using a different means to validate it.
4. If the message appears to come from a familiar company, contact them on a different channel to confirm legitimacy.
5. Getting a text and subsequent call does not increase legitimacy. Hang up and call the company or financial institution directly using a known telephone number.
6. Screenshot and send any suspicious messages appearing to come from a company to them to verify and alert.
7. To report smishing to all mobile telecom carriers, screenshot and send the message to 7726. For added protection, use the “Report Junk” feature on your mobile carrier’s system.
8. Visit the FCC website for more information on how to avoid smishing scams.