Skip to Main Content

Phishing and Smishing

Phishing and Smishing

Social Engineering refers to the manipulation of people into performing actions to divulge confidential information. By using creative methods, scammers, criminals, and other bad actors can gain access to your personal information. Two of the most common methods used are known as Phishing and Smishing. Below we’ll review what these methods are, how they are used, and how to protect yourself against threats.

What is Phishing?

Phishing is defined as “a technique for attempting to acquire sensitive data through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.” A phishing email or website will often disguise itself as a legitimate organization, such as your credit union or bank, an online storefront, or social media to get you to provide sensitive information.

Examples of Phishing

Some examples of phishing may follow themes as shown below:

Example 1: You receive an email claiming to be from a service stating “Your credentials need to be verified.” When you click on the link, it has you enter your email and current password, often entering twice to ensure the entries match. When you enter this information on their fake page, they log the information and provide a follow-up message pretending to be a confirmation before reverting you to the actual services website.

Example 2: Your friend on Facebook has their account hacked. While it is compromised, the hacker using their account sends you a suspicious link, often with a message like “Is this you?” or “I need your help.” These links are usually either a truncated “bitly” link or a long link. Once you click on the link, the website it leads to may ask you for information or may install malware on your device without prompt.

Smishing is a form of Phishing in which an attacker uses text messages (SMS, therefore SMS + phishing) to get a target to click a link or reply with sensitive information by pretending to be a legitimate business.

Examples of Smishing

Example 1: You receive a text message asking if you made a large authorized transaction at a store you wouldn’t normally go to.  The message asks you to reply “Yes” or “No.”  When you reply, a scammer calls to walk you through fixing the fraudulent transaction while gaining sensitive information from you.  This allows the scammer to potentially gain access to your credit card information, making more transactions in the process.

Example 2: You receive a text message stating that an application is out of date and needs to be updated, followed by a shortened hyperlink (often a bit.ly link).  When you click on the link, mobile malware is installed allowing the scammer to see certain things you do on your phone, whether it’s credentials for applications, credit cards used on mobile purchases, or more.

How to Protect Yourself from Phishing and Smishing

When dealing with potentially fraudulent messages, there are many ways that you can protect yourself. Below is a list of best practices that you should follow to ensure your safety in these scenarios.

  • Slow down, think before you react to a message
  • Check the email address of the sender. If the name doesn’t match the email address, it is likely fraudulent
  • Check the phone number of the sender. Typically, legitimate texts from a corporation will only come from a 5 or 6-digit number (with some exceptions for text receipts from small businesses). If the sender has a 10-digit number with a random area code or comes from an international number with a country code, do not reply or open any links
  • Check the message for typos. Oftentimes phishing messages will have obvious grammatical errors
  • If you see text as a hyperlink (blue text underlined), use extreme caution. Hover your mouse over it to see what the web address is. If the web address seems suspicious (shortened link, typos, or from a service you’re unfamiliar with) do not open it
  • If the message creates a sense of urgency to act, do not respond to it. This is often the easiest way to get someone to click or reply without considering the source
  • If you are unsure of the validity of a message, do not reply to it
  • If a message claims to be from a service you use on a new number or unofficial email, do not reply. If you have questions or want to verify if the message is valid, reach out to the vendor’s official phone number listed on their website to confirm.
  • Do not provide sensitive information via text message or email. All businesses that need this information will have a secure and approved method in alignment with security protocols.
  • If you receive a suspicious message from a friend or family member, reach out to them via another method to confirm if it was them. If you suspect their account was compromised, let them know so they can fix this.