Skip to Main Content

Tricky Texts: How to Avoid “Smishing” Scams


Woman shopping on her mobile phone

“Phishing” attempts are no longer limited to email. Fraudulent offers and notices may also come to you via text; sometimes referred to as “smishing” or SMS phishing.

What Is Phishing?

Phishing is a cybercrime in which a target is contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking, and credit card details and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

“Smishing” is a mash-up of “SMS phishing,” or phishing that occurs through text messaging. When it comes to fraudulent texts, it may be harder to tell what’s coming from a legitimate party. For example, some common scams include a UPS or USPS message regarding package tracking, or scammers posing as streaming companies such as Netflix regarding a payment issue.

So, How Can I Tell If a Message Is Fraudulent?

1. The number is unusually long

Legitimate marketing text messages are often sent from a 6-digit shortcode, a text-enabled, 10-digit toll-free number, or a business’s existing ten-digit landline. If you were to receive a text message from an unidentified 11-digit number, the odds are high that it’s a scam.

2. It contains an unexpected message

If a text mentions a product or service you don’t have a recollection of ordering or a situation that doesn’t sound likely, chances are it isn’t.

3. It includes a downloadable file or strange link

Just like spam emails, beware before clicking any links or files in a text from an unknown party.

4. It includes an urgent request to verify personal information

A legitimate business, such as your financial institution, will never ask you to verify personal information via text.

5. It’s too good to be true

Getting congratulated on winning a contest you didn’t enter? Most of us are not quite that lucky!

What to Do to Avoid Becoming a Smishing Victim

At a high level, avoiding smishing scams is simple. Not clicking on links in unfamiliar or unexpected text messages is an easy first step. However, cyber criminals who use smishing scams have a bag of tricks rolled up their sleeves that are intended to get one of following responses: clicking on a link or sending a response (either by phone or text) to the number sending the message.

The best way to check the validity of a message from a business is to call them directly using the number on their website or if it’s a financial institution, the number on the back of your debit or credit card.

Scammers may also try to imitate people you know in an effort to extract information. If you get a text from someone claiming to be your significant other or a new colleague asking for personal information, do not offer any tidbits until you can confirm their identity.

Additionally, keep your smartphone safe by using password protection, and do not share your password.

7 Tips to Avoid Smishing Scams

  • Don’t reply to the text message or call the number even if it says reply YES/NO/HELP
  • Do a web search of both the number and the message content type the number or the message (or both) into a Google search
  •  If the phishing message is spoofing a company, call the company directly
  • Don’t get tempted by “too good to be true” offers or news, such as winning a lottery
  • Don’t click on any links in the message. Most smishing scams are usually a game of emotional manipulation trying to pique your interest enough to get you to click on a link
  • If you receive a fund transfer update through SMS, you should always insist on checking your bank/wallet balance by logging in to your banking website or mobile app directly
  • Don’t ever give your personal details through SMS. Banks, service providers, and telecommunication companies don’t ever ask you for your personal details through text

Scams Involving Money Transfers

We have recently been notified of scams revolving around peer-to-peer payment apps such as Zelle and Venmo.

In one scenario, someone receives a text from a fraudster to alert about a suspicious transaction. Upon receiving a response text declining the transaction from the consumer, the fraudster calls the consumer, pretending to be the fraud department of the financial institution. The fraudster gains access to the consumer’s online banking account by requesting the username and one-time password, which is then used to reset the password. Upon gaining access to the online account, the fraudster registers for Zelle and attempts to send payments.

In another situation, fraudsters may steal credit cards and add them to their Venmo, Zelle, or Paypal account and send out small amounts to numerous people, changing the card on their account to their personal card, and then reach back out to all the people who received the money, stating it was a mistake and asking for it back.

To protect yourself when paying others with a money transfer app, use the following tips:

  • Only transfer money with people you know
  • If someone sends you money by mistake, ask them to cancel the transaction: The sender can request that the vendor cancel the transaction. If the person refuses, it’s probably a scam.
  • Enable additional security settings such as multi-factor authentication, requiring a PIN, or using fingerprint recognition.
  • Link your money transfer app to a credit card. Using a credit card will help protect you if you don’t get the services you paid for. Linking to a debit card or directly to your bank account does not give you added protection.

When used wisely, peer to peer payment services is a fast, easy and secure way to send and receive funds. If you’re not already using it, check out Zelle in our mobile app today!