“Smishing” Self-Defense: How to Prevent Trouble That Comes in Text Messages

Data protection in mobile devices.
Photo credit: iStock/Natali_Mis
Getty Images/iStockphoto

Each day about 20 billion text messages are sent to 2 billion smartphone users worldwide. Most of these texts are opened within three minutes, and many within a few seconds.

The massive number of text messages and their rapid-fire response rate (by comparison, only one in four email messages are opened within 10 minutes of arrival) amount to an unbridled opportunity for fraudsters exploiting the du jour device for deception: the handheld computer that also happens to make phone calls, which many of us carry or have nearby 24/7.

Called smishing (named after short messaging service technology that sends text messages), it’s an attempt to trick you into revealing private information via SMS or text message. Angling for credit and debit card numbers, PINs, usernames and passwords, even Social Security numbers, smishing texts often purport to be from a government agency, your bank or other respected companies. Typical ploys allege a problem with your account; promise free gift cards; offer low-cost merchandise, mortgages and credit cards; and click-bait-like customer satisfaction surveys that lure you to open imbedded links or attachments that can also harbor malware. Today nearly half of clicks on malicious URLs are made from mobile devices — more than doubling the long-running rate of 20 percent, notes cybersecurity firm Proofpoint.

Although smishing has been around since the past decade, it’s on the rise and increasingly even more dangerous. Studies show that the rate of text spam specifically designed to defraud is seven times higher than that of spam arriving by email. And with small screens and the inability to hover a mouse to preview a link, it’s harder to spot text-sent trouble. Your smishing self-defense:

  • Don’t reply to text messages from senders you don’t recognize. Even sending a “remove,” “stop” or “opt-out” response tells SMS senders that your mobile number is active and ripe for more messages. Be especially wary of texts from a 5000 or other shortened number (versus a complete 10-digit phone number), indicating the message is actually an email sent to a phone.
  • Never reply to text messages asking you to confirm or provide personal or financial information. Legitimate companies don’t text requests for account numbers, log-in details and other sensitive data. Government agencies don’t correspond by text (and are unlikely to even have your mobile phone number).
  • Slow down. Most people instinctively deal with text messages ASAP, and smishing scams work best when creating a false sense of urgency. Rather than call back numbers provided in text messages (doing so is another tip-off of your working cell number), take a few minutes to verify the actual contact numbers of legitimate businesses that may need to contact you.
  • Forward suspicious text messages to short code 7726 (which spells “SPAM” on your keypad), which allows cellphone carriers to identify and block smishing messages.
  • Be stingy with your cellphone number. Don’t post it online or on social media, or provide it for contests, surveys, touted “deals” or “free trials.”
  • If you haven’t already, install anti-malware software on your Android phone; some products can also block smishing texts. (Apple’s iPhones have built-in protection.) When you receive a bona fide notification of an upgrade to your phone's software, install it immediately.
  • Keep tabs of your phone bill, looking for suspicious charges, even if you don’t respond to unknown texts.

For information about other scams, sign up for the Fraud Watch Network . You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and keep tabs of scams and law enforcement alerts in your area with our Scam-Tracking Map .

In general, you don’t want to reply to text messages from people you don’t know. That’s the best way to remain safe. This is especially true when the SMS comes from a phone number that doesn’t look like a phone number, such as a 5000 phone number. This is a sign that the text message is actually just an email sent to a phone.

You should also exercise basic precautions when using your phone. Don’t click on links you receive unless you know the person sending them. Even if you get a text message with a link from a friend, consider verifying that the person meant to send the link before clicking on it. A full-service internet security suite isn’t just for laptops and desktops; it also makes sense for your mobile phone. A VPN such as Norton WiFi Privacy is an advisable option for your mobile devices. This will secure and encrypt any communication taking place between your mobile device and the internet on the other end. Never install apps from text messages. Any apps you install on your device should come straight from the official app store. These programs go through vigorous testing procedures before they’re allowed in the marketplace. Err on the side of caution. If you have any doubt about the safety of a text message, don’t open it.

Search AARP Blogs