Smishing: A Silly Word for a Serious Fraud Risk

These phishing attacks, in which scammers target victims through text messaging, are on the rise

By Octavio Blanco

Updated September 26, 2022

There was clearly something fishy afoot when Beth, a disabled 50-year-old from North Carolina, received two text messages saying she had money available to add to her phone’s digital wallet.

One message said, “Beth put this in your wallet and use it whenever.” The other said, “The balance on this account is yours. no be to share [sic].” Both messages included hyperlinks.

Beth, who asked not to use her last name, had just become the target of “smishing,” an increasingly common tactic criminals are using to commit fraud.

Instead of clicking on the embedded links, Beth deleted the messages and reported them to the Better Business Bureau, a business watchdog. “Money doesn’t just drop in your lap,” she told Consumer Reports, explaining why the messages raised her suspicions. Beth says she has been on high alert for fraud since being targeted by calls from scammers claiming to be officials from the IRS or Social Security.

The word smishing combines SMS, the primary technical format for text messaging, and phishing. As in other phishing attacks, the criminals masquerade as government workers, tech support representatives, long-lost friends, or financial institutions, and try to lure people into divulging personal details that could lead to fraudulent credit card purchases or identity theft.

Robotexts Are the New Robocalls

More than 87 billion spam texts were sent to U.S. phone users in 2021, according to RoboKiller, a spam text mitigation service—that’s 58 percent more than the prior year, RoboKiller says. And so far this year, U.S. phone users have received over 55 billion spam texts with 12.02 billion texts received in the month of June alone, according to RoboKiller.

Among the reasons for the increase in smishing is that people now trust text messages more than phone calls or emails.

“The masses have come to embrace texts over calls,” RoboKiller says in its report. In fact, a recent survey by Transaction Network Services, a robocall measurement and mitigation firm, finds that 75 percent of Americans never answer calls from unidentified numbers.

The COVID-19 pandemic also had a hand in increasing the volume of spam texts. As call-center staffers stayed home, fraudsters shifted to text messaging scams, which RoboKiller says need fewer workers to operate.

Finally, RoboKiller says that while regulator efforts to curb spam calls have been fierce, tools like Shaken/Stir, which helps carriers authenticate spoofed calls (calls that use a fake number to look like a government agency, a well-known company, or a local telephone exchange), don’t address spam texts. Scammers know this, and they’ve migrated from robocall scams to robotexts, RoboKiller says.

In 2021 the Federal Trade Commission logged 378,119 fraud complaints about unwanted text messages, including smishing attempts. That was up from the 332,000 unwanted texts received by the public the year before. And consumers reported a total loss of $86 million because of text messages to regulators in 2021, with an $800 average loss.

But RoboKiller says that number is actually much higher, estimating that consumers lost more than $10 billion because of spam texts in 2021. RoboKiller says the discrepancy exists because many people don’t report the scams to the FTC.

“Spam texts surpassed spam calls for the first time in 2020, and the gap widened in 2021,” says the RoboKiller report. “Scammers want to steal from you in a new way. This is no fad or fluke: In fact, it’s the second consecutive year in which spam texts outpaced spam calls,” wrote the authors of RoboKiller’s “Phone Scam Insights of 2021” report.

Recently, the Federal Communications Commission voted 4-0 to adopt proposed rule that would require mobile wireless providers to block illegal text messaging. The vote was the first step in a process that’ll include a comments period for stakeholders and the public to weigh in. The wireless industry’s trade group (CTIA) has published its best practices for how wireless providers should go about blocking spam texts, which the FCC is likely to lean on when determining implementation of its final rules.

“The wireless industry is committed to fighting spam while also helping legitimate messages get through,” the CTIA said in an emailed statement to Consumer Reports. “Through an industry-led approach, providers develop and follow best practices and use a range of tools—including filtering software, advanced analytics and blocking technology, and consumer complaint reporting mechanisms—to fight messaging spam and protect consumers. Those efforts have helped make text messaging one of the most trusted platforms with high open rates.”

And yet security issues and scams delivered by text messages continue to persist.

Top Scams

Delivery scams where fraudsters impersonate Amazon, FedEx, and the U.S. Postal Service are the most prominent text scam, accounting for over 26 percent of all SMS scams in 2021, according to RoboKiller. In these scams, robotexts are sent with links that are purported to be for tracking packages or adjusting user preferences. However, they’re actually links that connect users to fake websites where the recipient will divulge their sensitive information or download malware onto their device.

COVID-19 scams were the second most common text scam in 2021, according to the company. Here, scammers offer COVID-19 tests and request personal and financial information.

In addition to those scams, text messages are also used to perpetrate intricate bank and peer-to-peer (P2P) digital payment fraud.

With some bank frauds, victims are fooled into furnishing log-in credentials, which criminals use to siphon out cash or open credit cards, whereas with P2P frauds, victims can be tricked into paying for goods and services they never receive, or sending money to people pretending to be friends or relatives. There have even been reports of identity theft in which the criminals will use someone else’s name and information to rent property.

Here are a few tips to stay safe when using text messages.

How to Avoid Smishing

You should never reply or click on any links in an unwanted text. They can contain malicious code that could infect your mobile phone.
Forward unwanted texts to 7726, which spells SPAM. It’s free to do and forwards the messages to your phone carrier’s spam department so that it can take action against the number. If a message is being delivered over a third-party messaging app, you’ll want to report it to the app that you use by looking for an option to report junk or spam.
Your phone should have an option to filter or block messages from a specific number. Major providers also often have a tool or service that can block spam calls and texts that you can look for and use. Similarly you can download a call- and text-blocking app from your phone’s app market or download apps from the Apple or Google app stores.
Beware of messages that are claimed to be from government agencies, such as the IRS or Social Security. The IRS will never send you an unsolicited text message or initiate contact via text message, email, or social media. Social Security does allow marketing firms to send emails to raise awareness of Social Security’s online services, and it uses text messages for two-factor authentication—but only if you’ve set up that security measure through your online account.
A telltale sign that you may be under attack is that a message is trying to impart a sense of urgency. These types of scams often imply that an immediate response is required to take advantage of an offer or to avoid a penalty.
Don’t be taken in by friendly, familiar language. Smishing text messages may use your name. While they often come from unfamiliar numbers, sometimes they seem to have originated from a phone number you recognize.
Do not respond to suspicious text messages, even if the message says you can “text STOP” to prevent future messages. Any response on your part will confirm for the scammers that the number is in use—and you’ll just be inviting more texts.
You should always be careful when giving out your phone number and when entering your phone number into any customer site. You should read through the commercial web forms and check for a privacy policy. In these cases you should be able to opt out of texts, but it may require you to check or uncheck a box.
Delete all suspicious texts.
Make sure your phone’s operating system is up to date. Android and iOS are constantly being updated with enhanced security features. On Android models and iPhones, your phone’s settings page should indicate which system you’re using and whether an update is available.
If you get a suspicious text from an official-sounding entity and want to check it out, don’t use any information from the message itself. Instead, call or email the company or government agency directly, using an official phone number from a recent bill or another valid source of information.
You should also alert law enforcement to the attack by submitting a report to the FCC or the Federal Trade Commission.

@consumerreports
Stay safe with these smart security tips. See other expert advice through the link in our bio. #securitytiktok #techtok #techtoktips
♬ original sound - Consumer Reports

Octavio Blanco

My mission: To write stories that broaden readers' horizons and offer new solutions they can apply to their lives. Who I write for: My family, my friends, my neighbors, myself, and—most important—you. My passions: Music, art, coffee, cheese, good TV, and riding my electric bike.