One of the biggest scams you need to watch out for is coming from your phone.
In “smishing” ― a term that combines “SMS” and “phishing” ― bad actors try to get your personal and banking information through unsolicited text messages on mobile devices. They do it by pretending to be government agencies, companies that you might have done business with, or a package delivery service. They’ll say something to get your urgent attention like a text about a free gift that you have to pay a small “shipping fee” to receive or they will send a warning about suspicious activity on your account.
“We see a lot of it with people posturing banks, saying ‘This is Chase Bank, there is a hold on your account due to a security breach, click here to verify your information,’” said Amy Nofziger, the director of fraud victim support with AARP.
The Federal Trade Commission reports that Americans lost $330 million from smishing scams in 2022, with a median loss of $1,000.
These kind of texting scams have an easier time at fooling us because our phones train us to pay attention to them. “We have our devices with us, 24/7. And when we hear that little ‘Ding!’ we automatically look at it. Whereas we don’t do that as much with our email anymore,” Nofziger said.
In package smishing scams, the suspicious message can seem innocuous and read: “USPS: Since your package address does not have a house number, we are unable to arrange home delivery for you. Please update online,” the FTC shared as an example. But once you click, you’ll be asked to pay a “redelivery fee” to trick you into giving up your credit card information.
“Especially around the holidays and this time of the year, we are, on a more frequent basis, ordering packages. So it might not be out of the norm to get an email from a shipping company saying that there’s a delay,” Nofziger said. That’s why she advises consumers to get into the habit of writing down what you ordered, where you ordered it from, and what company will be the package delivery service.
When in doubt, call the source instead of relying on a text message. “If you do think that there’s a problem with your shipping, your package, your item, your bank account ― just call the company at the number you have for them. And just check that way,” Nofziger said.
“It is better to contact the company from their original website or phone number than to provide account information and login and password information from a bogus link,” said Stephanie Benoit-Kurtz, lead cybersecurity faculty at University of Phoenix College of Business and Information Technology.
How To Spot A ‘Smishing’ Message
A “smishing” message can seem like any other text message, but there are a few telltale signs that will warn you that something’s off. Here’s what to keep an eye on:
Look to see how many people also received your text.
If your text about a free gift or suspicious activity was also sent to multiple people, be suspicious. “That’s an immediate red flag, and you should absolutely delete it and block that number right away,” Nofziger said.
Be wary of unsolicited messages that ask for your information.
A regular solicitation will tell you information that you signed up to receive, while a spam message is more likely to ask for it, Nofziger said. “When they are then asking you to go off of that platform or asking you for personal information, that should be your No. 1 red flag. Nothing is as important as your personal and financial information,” she said.
Be suspicious of any action you have to do right away.
Bad actors want you to not have time to think, so make sure to take a breath and really think about what you are being asked to do. “The sense of urgency is ‘right now,’ and they are looking for you to wire a check, purchase and provide information from gift cards, or log in to an account from this link,” Benoit-Kurtz said.
What You Can Do To Block ‘Smishing’ Messages
Once you spot a “smishing” message, don’t just leave it in your messages folder. Take these actions to prevent future issues:
Block or filter unsolicited messages.
You can filter messages from unknown senders on Apple phones by going to Settings, then Messages. Scroll down until you see Filter Unknown Senders and select it.
On Android phones, go to Settings, then Blocked numbers. Turn on the Unknown option to block private or unidentified numbers from contacting you.
Nofziger said that filtering out these messages is “a great tool that people can use to give yourself a little red flag ... ‘Well this person is not my contacts list, because it didn’t come in my regular folder. So let me take a moment, calm down, pay attention to what this message is asking.’”
For unsolicited messages on iPhones that are not in your contacts, tap the Report Junk option that will appear, then tap Delete and Report Junk. On Android phones, click the person you want to block, then click More options, From there select “Block & report spam.”
In general, you can forward the suspicious message to 7726 (SPAM). That way, your wireless provider can learn to block similar spam messages for you. You can also report it to the FTC at reportfraud.ftc.gov.
What If I’ve Already Been ‘Smished’?
If you fell for the “smishing” scam, don’t panic. There are still steps you can take to mitigate losses.
If you click a link you think is suspicious, get your computer immediately checked for malware, Nofziger said. And ignore any follow-up texts the person may be sending you, even if they seem friendly.
“Stop the communication, because at some point, they’re going to ask you to go to a link or to help you with your device,” Nofziger said.
And make sure to call your bank about fraudulent transactions or security breaches, so they can investigate.
“If you think you are a victim of a scam, make sure to report it to the financial institution or the organization right away. You can also contact the state attorney general’s office to report the issue,” Benoit-Kurtz said.