By now, there’s a good chance you’re already familiar with “phishing.” You know the deal. Hackers or other nefarious online criminals send you suspicious links by email or social media or redirect you to cleverly faked websites in order to collect private information. Despite ransomware taking center stage these days, many online criminals are still utilizing various forms of phishing to separate unwary web users from their money. But it’s not just sketchy websites you need to worry about. Phishing has given way to a new type of digital scam: smishing.
What is smishing?
“Smishing” is a portmanteau of “SMS phishing” or phishing that occurs through text messaging. While it’s difficult to track the first incident of smishing, Google Trends shows at least minimal interest in the term as early as 2004, with a significant spike in 2006.
Interest in smishing has gradually increased since then, aided by the growth in smartphones with web browsing capabilities.
For the most part, smishing is just the application of common phishing techniques applied to a mobile device. Cyber criminals will either obtain a phone number from the dark web following a data breach, through web crawlers checking social media posts or even through a random number generator. They’ll then send out text messages asking users to call a number or click on a link. The messages scammers send often involve bank accounts, and in some cases, may even contain most or all of a potential victim’s credit card or bank account number. However, the scams can cover the gamut, and may even involve spoofing companies that are locally known to you.
One NBC Nightly News report highlights a smishing scam that tried to get victims to activate a new credit card. The messages prompted individuals to call a number and enter private information over the phone. Other smishing scams identified by the report include ones that tell users their online accounts (such as Apple ID) are expiring. Others offer promises of cash prizes from companies like Walmart if only you’ll click on the included link.
At times, smishing may actually lead users to install a virus on their devices. In these situations, the results may actually be worse for some users. A Pew Research survey found that only 32 percent of smartphone users install antivirus software on their devices. And while the data doesn’t distinguish between iPhone and Android users, our best guess is that the majority of that 32 percent is coming from Android. Unfortunately, Mac users typically spurn antivirus, falsely believing their Apple devices are immune to threats.
Overall, what smishers are usually looking for is the missing piece of the puzzle. That could be a social security number, pin number, password, or any other private detail that will help them access your accounts. It’s easy to say “don’t give it to them,” yet many smishing scams are intricately designed to elicit a response, even if that response is just a tentative and short-lived click on a link.
How to avoid smishing scams
At a high level, avoiding smishing scams is simple. Not clicking on links in unfamiliar or unexpected text messages is an easy first step. However, cyber criminals who use smishing scams are full of tricks that are intended to get one of two types of responses: either a click on a link or a response (either by phone or text) to the number sending the message. While you may feel empowered by avoiding any suspicious links, you’ll need to fight the desire to call or text back telling the scammers to stop.
Here are a few tips to avoid falling prey to a smishing scam.
1. Don’t reply to the text message or call the number
Even if the text message says “text ‘stop’ to stop receiving messages,” never reply. If you are sure the message is coming from scam number, replying may actually result in more messages getting spammed to your phone. The same may be true of calling the number. Often, scammers don’t know if the numbers they’re using are actually active. Providing a response to the message will verify to them that the number is indeed active, leading them to continue and potentially increase the number of scam messages you’re receiving.
A more effective option is to just block the number outright. Unfortunately, some model phones do not include phone blocking in the phone’s software. You may need to install a number blocking app from your phone’s app store.
2. Do a web search of both the number and the message content
If you’re feeling a bit uneasy about a potential smishing scam, type the number or the message (or both) into a Google search. Chances are, you are not the first person to receive that message. In many cases, you’ll find others posting on various scam number websites. Don’t just trust one negative response or inquiry, however. Look to see if a suspicious number or message has numerous others posting that it’s potentially a scam.
For personal reference, I tend to get a lot of spam and robocalls. My personal favorite site for this is 800notes.com. When I get a call from a suspicious number, I rely on the site to help vet the number of potential scams or spam.
3. If the phishing message is spoofing a company, call the company directly
Many smishing messages will pretend to be a well-known company, such as a store or bank. If you believe the message is a scam, instead of calling or texting the scam number, look up that company’s customer service number from its official website. Contact the service through that number and inquire about the message you received. If they confirm that it’s not from them, delete it.
4. Don’t click on any links in the message
All forms of smishing are usually a game of emotional manipulation. Often, scammers don’t need you to overtly give up passwords, pins and social security numbers. At times, all they need to do is pique your interest enough to get you to click on a link and download a virus to your phone. There’s a good chance that if you did click on a phishing link, your mobile device is already infected. Since the goal for such viruses is often to stay hidden, you may not realize your phone is actually infected. However, some telltale signs may be:
- Unsuspected memory usage
- Phone heating up excessively
- Pop-up messages while using your smartphone web browser
If you did happen to click on a link from a suspected smishing text message, your best option is to install an antivirus app and scan your device. Any virus hiding on your phone could be logging keystrokes and stealing private information, meaning the smishing scam could already have been successful. Still, it’s better to cut it off at the heels even if you’ve potentially lost valuable information up to this point.
On the other hand, installing an antivirus app can help prevent smishing attacks in the future. A good antivirus app should block any virus installation attempts in the future, as well as block potentially malicious websites.
- Utilize a VPN on your mobile device
One thing that often gets overlooked regarding smishing attacks is the collection of location data. According to internet security company Sophos, cybercriminals are increasingly using location data to better target individuals. Cybercriminals can use that data to send you smishing messages that appear extremely local. If the message seems more personal, it’s more likely to yield a response from victims.
A VPN app could help spoof your location, making it seem like you are somewhere else. If you receive a smishing message based on your spoofed location, it’s much easier to recognize it as a scam. However, more intelligent scammers may just use your phone’s area code to deliver somewhat relevant scams to your phone.
Nevertheless, a VPN can help prevent a cybercriminal from obtaining any data from your device. As your data moves through from your smartphone across the mobile network, it’s encrypted through the VPN tunnel. The scammer, therefore, may have a virus installed on your device but may be unable to receive any valuable data from it due to VPN encryption. This can help save you should you fall prey to a smishing scam that installs a virus on your device and afford you time to effectively get rid of it in time.
- Be proactive
Most importantly, avoiding smishing scams involves being proactive. If a message feels wrong, don’t take any chances. Any reputable company will never conduct important business over text message, and will almost certainly never ask you to enter private account information through a text message or a suspicious link. If the message is real and important, companies will likely call or send an email.
How to block and report SMS spam on Android and iOS
Having trouble with an influx of SMS spam or phone calls to your Android or iOS device? You might have a few solutions available to you through your app store, or even through your phone’s operating system.
Block calls and text messages on iOS
Since the introduction of iOS 7, Apple has included call and text message blocking as a software feature. To block either text messages or phone numbers, go to:
- Phone (or Messages for texts)
From there, add the numbers you want to block to reject all new messages. You can also block text messages by going to your Messages, selecting the offending message, selecting “Details” under “i” from the top right of your screen, and then selecting “Block Caller”.
Keep in mind that for this to work, you’ll need to add a number to your contacts list. This is a good way to block contacts from repeated offenders, but it won’t block smishing or other phone spam attempts from unregistered numbers.
If you’re looking for more intelligent call blocking, you may want to consider RoboKiller. This app has been lauded by the Federal Trade Commission for its ability to significantly reduce the number of spam calls making it through to your phone. RoboKiller has a number of spam numbers registered in its system but also predicts when a call is likely to be spam. Any call that comes through can be added to its blacklist. Blocked number numbers that you want to receive are whitelisted. As of November 2017, RoboKiller also includes an SMS filter as well to help block out unwanted smishing and other spam text messages.
Block calls and text messages on Android
Because Android phones are not unified in their architecture, you may or may not have the option to add numbers to a block list. Each device maker modifies Android in different ways, and some mobile networks, like T-Mobile or Verizon, may alter the operating systems even further.
To find out how to natively block numbers on your phone specifically, first perform a Google search. For example, you might search “how to block texts on Galaxy S7”. Such a search will bring up varying results depending on your device and Android version, so you’ll want to double check.
If you’re not sure what device you’re using, most Android mobile phones have that information available through Settings > About phone. If you look under “Phone name” it should contain the exact phone model you’re using, defaulted as the phone’s “name” which appears when you connect to a wi-fi network. However, if you for some reason changed your phone name and can’t remember the model number, tap on “Hardware info”. You’ll find the information there as well.
As with iPhones, blocking numbers will filter out repeat spam callers and smishing attempts, but it won’t intelligently block new numbers. For that, Android users have a long list of options.
The Google Play Store is filled to the brim with SMS and call spam blockers. As with most Android apps, though, you’ll need to do a bit of personal research to decide on which app to trust. Rule of thumb: check the reviews and the app rating. However, those two together are still not a guarantee that you’ll get a good app, especially on the Google Play Store. Fake reviews on Google Play are a bit of a problem, and there’s no easy solution either. The last thing you want to do is download a bad app, or worse, one riddled with spyware.
Based on our own analysis of app reviews and ratings, we recommend the Truecaller: Caller ID, SMS spam blocking & Dialer app. The app has over 100 million downloads, over 4 million positive reviews, and has email support from the company. The app can intelligently block both SMS spam and phone calls. It also allows you to blacklist and whitelist numbers on the fly.
How to report spam calls and messages- US, UK, Canada, Australia
You might feel a bit helpless against spam calls and text messages, but you do have a voice. In the US, UK, Canada, and Australia, both official and unofficial options exist to help take down spammers.
Several years ago, the U.S. set up the National Do Not Call Registry, where individuals could submit their phone number and get themselves removed from telemarketers. The service worked for a time. Last year, however, many news outlets began reporting the fact that many people already recognized: the registry is no longer working.
Despite the threat of prosecution from the government, spam callers and texters are newly emboldened in their efforts. Here are two ways to help fight back.
- Register spam numbers with a dedicated spam number website
A number of websites now exist where you can report and discuss spam numbers. If you receive a spam number, submit the number to a site dedicated to rooting out phone spam. We’ll recommend again the website 800notes.com. Here you can submit the number with a note about the call or text message. This will help aid others who are also receiving messages from these numbers and wondering if it’s trustworthy.
- File a complaint
Although the National Do Not Call Registry is effectively dead, you can still file a complaint with the FTC. Note, however, that the FTC requires your number to be registered with the registry for at least 31 days before you can file a complaint. The DNCR is primarily for spam phone calls.
You can report spam text messages directly to the FTC without registering with the DNCR. Simply go here and complete the online complaint form.
Don’t expect an immediate or timely response from this method, however. And even if your complaint is looked into, you are unlikely to hear back from the government directly about any action taken. Complaints most likely go into a database, where the FTC will look for repeat offender and investigate those numbers. Still, adding your data to their information can help root out spammers.
If you’re receiving scam texts and phone calls in the UK, here are a few available options for you.
- Contact ActionFraud
ActionFraud, or the National Fraud & Cyber Crime Reporting Centre was set up to handle the on-going scam issues in the UK. If you’ve been receiving what are clearly fraud messages, you can either call the Centre (0300 123 2040), or use their online reporting tool.
- Register with the Telephone Preference Service – and file a complaint if you’re already registered
The Telephone Preference Service is designed to prevent or reduce unsolicited telemarketing calls to your phone. You can register your number with TPS on their website.
If you’re already registered and you’re still receiving calls, you can file a complaint through the website as well.
- File a complaint with the Information Commissioner’s Office (ICO)
TPS suggests filing a complaint with TPS as well if you are continue to receive unwanted calls. Unlike TPS, however, ICO also specifies handling SMS spam. This is a good option if you are receiving a smishing attempts to your phone. ICO handles all types of spam and fraud associated with digital communications.
- Register the number with a reverse number website
If you know the scam number is a problem, look it up and register it with a reverse number website like who-called.co.uk. The site lets you register numbers that you know are a scam as well as look up numbers that might be suspicious. If you’re leaving a scam number on the site, you can leave a note to explain what kind of behavior or messages you were receiving to help others in the fight against spam.
In Canada, phone scams are still a problem despite government efforts. Here are some options Canadians can take to fight back.
- Use a reverse number lookup and registration site.
There are a few sites available for looking up numbers in Canada. We suggest canadianareacodes.net. The site maintains an active list of numbers registered in Canada. You can also register a number with information regarding the kind of message you received to help others discover whether a number is being used to run scams.
- Report the scam to the Canadian Anti-Fraud Centre
The CAFC was set up to help Canadian residents identify and report all types of fraud and scams. This includes smishing attempts and nuisance phone calls. You can either call the CAFC (1-888-495-8501) or register the complaint with their online Fraud Reporting System. The CAFC online system requires you to have a GCKey to login and register your complaint. The key is free, but you’ll need to obtain your GCKey through an online portal.
As with Canada, UK, and the US, Australia has its own, increasingly troublesome phone scam problem. Here are some solutions for Australian residents who need to take action against phone spammers.
- Enter the Do Not Call Register
Australia’s Do Not Call Register has been going strong for over a decade. In case you missed it, the government made numbers submitted to the register permanently. This means you do not need to resubmit your number, helping solve the issue of having your number expire and those spam calls re-emerge. Government research from 2015 shows most Do Not Call Register users noticed significant reductions in unwanted calls.
- File a complaint with the Australian Communications and Media Authority (AMCA)
The AMCA, which also runs the Do Not Call Register, allows you to lodge a complaint online if you’ve been receiving spam messages. You will need to have been registered for at least 30 days and the calls must have been received during non-standard business hours. Unfortunately, the complaints must be related to spam calls and do not count for SMS spam.
To report SMS spam to the AMCA, you’ll need to forward your spam text message to the agency directly. The number to forward SMS spam to is: 0429 999 888. It’s important that you forward the number to the AMCA, as this adds to their database and helps them better identify, track and ultimately deal with SMS spammers. The AMCA provides additional details for dealing with smishing attempts.
- Register the number with a reverse number website
If you’re convinced a number sending you messages or calls is a scam, register that number online. For Australia, the best site to use is reverseaustralia.com. The website allows you to register numbers with a comment regarding what type of behavior you received from that number. You can also use it to look up suspicious numbers in case you’re concerned a call or text from an unknown number could be a scam.
Even with your phone scam issues covered, you’ll still need to be on the lookout for email scams. But that’s a matter for another day.