Protecting yourself from Smishing

The holiday season is fast approaching and with it comes a ramp in holiday-related scams. Among the common techniques focused on holiday shopping, package tracking, and work communication, there’s been a recent rise in smishing (a portmanteau of SMS and phishing). Last year the FTC documented 378,119 fraud complaints about unwanted text messages, an almost 14% increase over 2020 (of course, not all those complaints were necessarily smishing attempts). This dramatic rise in smishing attacks even eclipsed the number of spam or scam calls reported, and it’s expected that this year will continue the trend.

Unfortunately, smishing is nearly impossible to stop. So many people are so used to receiving updates on packages, donations, wait times, and much more from strange numbers, so it’s all too easy for scammers to slip between the cracks. This means we must step up our prevention efforts to educate our users and help them think about the texts they receive before clicking any links or responding with any information. We also have to ensure that protection in depth is being performed on everything in the environment since many users now have access to corporate resources from their cell devices. To assist with that, below are some tips to help you educate and protect your users and avoid falling victim to a smishing scheme.

1. Don’t reply to the text message or call the number

Even if the text message says “text ‘stop’ to stop receiving messages,” never reply. If you are sure the message is coming from a scam number, replying may actually result in more messages getting spammed into your phone. The same may be true of calling the number. Often, scammers don’t know if the numbers they’re using are actually active. Providing a response to the message will verify to them that the number is indeed active, leading them to continue and potentially increase the number of scam messages you’re receiving.

A more effective prevention option is just to block the number outright. Unfortunately, some phones do not include number blocking in the phone’s software. You may need to install a number-blocking app from your phone’s app store or contact your service provider.

2. Do a web search of both the number and the message content

If you’re feeling a bit uneasy about a message being a potential smishing scam, type the number, the message, or both into a search engine of your choice. Chances are good that you are not the first person to receive that message, and in many cases, you’ll find others posting on various scam number websites. However, don’t just trust one negative response or inquiry. Look to see if a suspicious number or message has numerous others posting that it’s potentially a scam.

For reference, I tend to get a lot of spam and robocalls. My personal favorite site for this is 800notes.com. When I get a call from a suspicious number, I rely on the site to help vet the number of potential scams or spam.

3. If the smishing message is spoofing a company, call the company directly

Many smishing messages will pretend to be a well-known company, such as a store or bank. If you believe the message is a scam, instead of calling or texting the scam number, look up that company’s customer service number from its official website. Contact the service through that number and inquire about the message you received. If they confirm that it’s not from them, delete it (and consider blocking the number that sent the message and the fake number they instructed you to call).

4. Don’t click on any links in the message

All forms of smishing are usually a game of emotional manipulation. Often, scammers don’t need you to overtly give up passwords, pins, and social security numbers. At times, all they need to do is pique your interest enough to get you to click on a link and download a virus to your phone. There’s a good chance that if you did click on a phishing link, your mobile device is already infected. Since the goal for such viruses is often to stay hidden, you may not realize your phone is infected. However, some telltale signs may be:

• Unsuspected memory usage
• Phone heating up excessively
• Pop-up messages while using your smartphone web browser

If you did happen to click on a link from a suspected smishing text message, your best option is to install an antivirus app and scan your device. Any virus hiding on your phone could be logging keystrokes and stealing private information, meaning the smishing scam could already have been successful. Still, it’s better to cut it off at the heels even if you’ve potentially lost valuable information up to this point.

On the other hand, installing an antivirus app can help prevent smishing attacks in the future. A good antivirus app should block any virus installation attempts in the future, as well as block potentially malicious websites.

5. Utilize a VPN on your mobile device

One thing that often gets overlooked regarding smishing attacks is the collection of location data. According to internet security company Sophos, cybercriminals are increasingly using location data to better target individuals. Cybercriminals can use that data to send you smishing messages that appear extremely local. If the message seems more personal, it’s more likely to yield a response from victims.

A VPN app could help hide your true location, making it seem like you are somewhere else. If you receive a smishing message based on your spoofed location, it’s much easier to recognize it as a scam. However, more intelligent scammers may just use your phone’s area code to deliver somewhat relevant scams to your phone.

Nevertheless, a VPN can help prevent a cybercriminal from obtaining any data from your device. As your data moves through from your smartphone across the mobile network, it’s encrypted through the VPN tunnel. The scammer, therefore, may have a virus installed on your device but may be unable to receive any valuable data from it due to VPN encryption. This can help save you should you fall prey to a smishing scam that installs a virus on your device and afford you time to effectively get rid of it in time.