“Smishing” Scams — How to Recognize and Avoid This Common Fraud Tactic

By now, you’ve probably heard of phishing (fraudulent emails that trick recipients into clicking on harmful links), but are you familiar with phishing’s equally scary cousin, smishing?

Smishing attacks are becoming more and more frequent, so it’s good to be aware of how these common scams work — and how you can avoid becoming a victim. Keep reading to learn how to avoid falling into a smisher’s net.

What is Smishing?

The word “smishing” is a combination of the words “SMS” and “phishing.” SMS refers to “short messaging service,” more commonly known as text messaging.

In a smishing attack, fraudsters send text messages to mobile devices. These texts are designed to get the recipient to take action by including content that elicits an emotional response. According to the Federal Trade Commission, common smishing text tactics include:

  • A notice of suspicious activity on your bank account
  • A promise of free prizes, gift cards, or coupons
  • An offer of a low- or no-interest credit card
  • A promise to help you pay off your student loans
  • A claim that there’s a problem with your payment information
  • Delivery of a fake invoice with a note to contact them if you didn’t authorize the purchase
  • A package delivery notification

The text usually requests that the recipient click on a link that is included in the message. If the recipient clicks on this link, they are taken to a fake webpage where they are asked to enter information like online banking login info, passwords, social security numbers, credit card details, or other personal data.

In an effort to build credibility and persuade people to unwittingly give up sensitive information, these faked webpages can be professionally designed and may appear legitimate.

These fraudulent texts rely on name recognition, so they often appear to come from a familiar company that you may do business with. Banks and credit unions, along with companies like UPS, FedEx, Amazon, and even federal agencies like the IRS have reported similar text message scams.

Why Did I Receive a Smishing Text? 

Unlike phishing scams, smishing scammers don’t need personal information to send fraudulent texts. They simply send messages to a random list of 10-digit number combinations. At least some of these combinations will be actual phone numbers, making the scammers successful in getting their fraudulent texts delivered.

Scammers can target a geographical area by starting their number combinations with a specific area code. The fraudsters will pick the name of a financial institution with that area code and use that institution’s name in their text message to make the message seem more legitimate.

For example, Connexus is headquartered in central Wisconsin, where the area code is 715. Scammers can deduce that a number of central Wisconsin residents will do their banking at Connexus, just based on location. Scammers send a text blast to phone numbers with a 715 area code and mention Connexus by name in the text.

Their hope is that some of their texts will be delivered to the cell phones of actual Connexus members who assume the text is authentic and attempt to log into a fake Digital Banking page. (This also explains why even non-members who have a local phone number may receive a text saying it’s from “Connexus” or another local bank or credit union).

How to Avoid Becoming a Victim of a Smishing Scam

Because scammers don’t need your personal information to send you a message, it can be practically impossible to avoid receiving smishing texts. Luckily, just receiving the text doesn’t put you in danger — as long as you can recognize the text as a scam.

Knowing how to identify a fraudulent text is key to avoiding smishing scams. Here are some considerations that can help you identify a fraudulent text.

  • Few companies will call or text asking you to share personal, account, or login information. If the text asks you for any of that information, it’s a good sign that it’s a smishing text.
  • Look for typos. Misspellings, especially of the company’s name, are a smishing giveaway.
  • Is the text urgent? Most companies won’t relay urgent account information over text – they will call you. If the message feels too urgent, it may be designed to elicit a knee-jerk response to get the recipient to take action quickly.

Each financial institution will have its own text messaging protocols. Check with your bank or credit union to learn if and when they would send a text alert. In the case of Connexus, text message alerts are sent from the numbers 31029, 296277, 48704, 87175, 86940, and 75373. (Voice call authentication codes come from 717.204.4535.) Texts sent from any other numbers are not legitimate Connexus texts. 

What to Do if You Receive a Scam Text

So, what if you get a text to your cell phone and you’re not sure if it’s legitimate? Here are a few tips.

To start, don’t click any links contained in the text until you have determined its legitimacy, and don’t respond to or engage with the sender.

Instead, call the supposed sender directly — but not via the number from which the text was sent, and not by calling a phone number contained in the text. Instead, locate the company’s legitimate phone number through a phone book or by looking up the organization’s official website. A representative from that company or institution will be able to determine whether the text was legitimate.

If you do determine that a text is an attempt at smishing, you can report the text to your wireless service provider by forwarding the text to 7726 (or “SPAM”). Then, delete the message and block the sender. 

Stay Savvy and Avoid Smishing Scams

The smishing scammers are out there. Luckily, armed with the right information, you can spot and avoid these texts and not get caught in a scam.

Learn more about common scams and ways to protect your accounts in the Connexus Security & Fraud center.